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lLAMIlf'. *J--f#LJ8£-F Intel #4 
Pentium Pro mJtm**MIML1lt*» *«*L»*Jt««**«*. 
teA;MLfl:Jr*^fl^*#Jt##. £«T 4M. 91 Pentium 
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^•f*b^#-70 131, TLB ( ^^JH^S > 141, — 152. 

*t3SH^t^ HI fe^^^a^it 112, >ft^^l&>^/*f&*fc«:£ 
>t 113, — 114 ttA^^Mf-^ 115. #4-4Mt#->L 115 

it-^ &^4--^.JH-/)|f J^^it 214, #4^*- 215, 4!t4N*Mf 216 
>5i;M&4-4Mf 217. 

%-t*t&.$-7t 131 ^£11 253, JiTiL-lt^*'^/ 

254, ^JtSMM^ 255, 256 *5t>SL#t. 

ft*Sj%&%&Z#i:ii-$-7L 257. 

#4- TLB 121 i£-#k&:fi;M£;t& 230, 

231 tf^&i^ib 232. TLB 141 k&flMr*&f-J&#- 

tG 233. 

#*t3£JI 101 *^T^f-^#J»t^*t«^-^^^^ Kp 
Kstt^#<?HifE 241. ZLJtLmfL^lk&nJ?^ ft 

#4HMMf^&#J Kcode ( E K<od «lAl ) A m&&mTM 

101 ( E Kp [Kcode] ) Kp tf^^Sbff^tf 

^£-£48 Kcode ^.I'lMSg 101. #*t3£H 101 

tf)ix>%&-f? ( spiiii^t^r^). «t*t«£ 101 7 



19 

PACE 27/102 * RCVD AT 5/24/2007 5:27:40 AM [Eastern Daylight Time] ■ 8VR:USPTO-EFXRF-3/10 " DNIS:2738300 « C8ID:(001) 400-1986 



* DURATION (mm-ss):00-S2 



5/24/2007 3:27 AM FROM: (661) 460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 028 OF 101 




m.it&m&v^-x, 112, -jsutsg loi /*.&*tm.% 

101 ^*«*JUH** 281 T%&PW\m*n#)$LftZh$&ifi>%#l&J?. 

#j /a 4Mr^*f^#-x. 212 ^a^-h***^* 

^^#.##-^115#.#^^^^^. 
131 ^JiTi:M^t/«f^^it 254 #&W$L + m&J? + 
ft%±.73Ht&5^X&®[% 281. 

JMWaFfciiaMIHMM^ 257 #*»&-tTiUI:&j5f&, jjHMMFJi 

##:*t«3i 101 **wxft*VLft*>#.ni*%&fr#i&&stm.. 

Mfrttm.& 101 #,#«8iU!l^flt, 214 tK®& 

LI 213 &$L*tmjf"it$SL& ( iM*& > ^B^^Jfciht-h^rt 

>^^Lifc4tJi^^^«.^ii^> «^ Jul %4*&3&8i& 213 
*&^##A^^«^4t 215, j&J&IMr'e. ^4^L 215 T# 

to 216, ff#**Mf*+#JL*££*]t*4MrJ*S. 
at, ##.#&^£]^4Hk#£&#-iG 217. £i*#fi#A#:*tS3& 101 
rt^^^iH-, ^4^MfStA#-;t 217 ^#^*^>>^M-&*# 
253; £4MfB#^iHfr&8t, 4**4lt#*jMM. 217 
LI 218. 

LI #Ufc£ii^<£ 218 112 #4£#]T*t L2 

152 WAM^U 281. &JUfcJ8 7 



20 

PAGE 28/102 * RCVD AT 5/24/2007 5:27:46 AM [Eastern Daylight Time] * SVR:USPTO-EFXRF-3/16 * DNI8:2738300 • CSID:<661) 460-1986 



* DURATION (mm-ss):60-S2 



5/24/2007 3:27 AM FROM: (661) 460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 029 OF 101 



%9U^3tftill>it$]&&&&#J&&i, fluff J&IUfc&ilH^. fote&L 
ftag 101 rttt4M-S#«#3f;Mi**t. #.#TLBfc#Jf4Ut«*«& 

fltfi£$MfeAL, X#^4L^*^^ib*l3r4L^H r l& 234, 
###3IJi<Kr3M^4L#ifem4& TLB 141. 

#*4»jr4Lgft«)tt+ TLB 121, ##4&&J£^&###i£#Abit# 
fc. 112 >iUL##£ 281 ifc L2 152 &U94s 

LI #4^^^^ 213. 4H»4Hftlb4 LI 
%Ml& 213 £.tt*£*?£Ui.tttf itftSkftwHtti*** 

**t^, *»_t/-fr&, TLB 141 5t^it^^. 

$|jMM£SI 281. i»T4M«|LA,«L^4t«TlrjS.%«^ft«^«^&. 
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M*4*4*i* Jf**4 32 ^15r, 64 4M *r" 8 ). 

a7A^, *at#^#tir, 4 *?hf«la, ba, ^a* 

AO J. A3 flW-M^ilA. — >H££lA. 

J*A-f 64 4**&<h«fr 8 *»H 7B # 

AO, B0» .... .HO^HMjXi^-f ^ 0*»^ 1 — #A1* Bl, ...» 

4t#^'h * © ft « jt#« m . 

ar* ( «*»: CBC ( $ ) ). 

#*Jf;MI£i»*4Mf*ltt*r*#*! Kcode ( *p£.>fc#&&*.T> 

^tf*t*tt«#JfcJ*30iaifc--JMbflL #A*itH£ttB^-302 
303 JJI u 307-j. %<K a 307 - j £-3r$4l X * ID 307 - j - 

k, 309 Hfc&fo m 4k&mT*t&%&4fft ! &tfi$&^v 

309- m. ffi«t*h«^^^^4«^^^r#^ 308 4H*#*i*. 309 
&-flr&, i&##7 t^#4- TLB121 Ji«MrrMHifcE$ffl. 
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*r TLB 121. X 

#&HJl-fem#i*M#l3tfrJ^X&306* 307 311 &ll.*)1f4Ut*g 
230, ^^4L309^ttjfJ#.e^ilf^^^Jt^231. 

*#*M£.#*M*&t. 309 #->Hc.^#£$i 

*f$L 309-ro Jt*^*»***a.A**!)*MJf4L«t. £#£*£!*j-|L 
^ife#J^f^#^#;M£N'& 231 #4*&t> jfc&£*Mt3&#'fl^ 
ZLtb%®*t$L*$Li£ 230 £jMM?*** 
M-MM' & 231 , it^^-H-^t^ # «r. 

101 «£— Ks m&, 42.&$)M%&^v&J J &W, -T«2t^« 
?*UM»*J»*MF* Kcode *TftHTtWMli«, 
309-m 309-m-4, 309-m-4 

&$Hn*t%L&&L 310 t. #4*.tf#:*tJ£& 101 4Hf-#*i Kp 
*f&##&-*»M E^[Kcode)#^i^#$Mf^<tB Kcode. 

&JL# Ks Kp tf-Mtifci* 1024 
# Kcode 64 4*, iiit4*T»»# < feirJ|L^ 256 

E[Kcode]*»^A 1024 310. § Kcode 

&%iLft«iKM.MSlL*1kK 1024 4MH*«eN", 
& 1024 

S 8 &¥t&&Wtt ft ***Nfc* 501 

£5£#&it£j31 502 JLtt^ft^E. 502 tfJfetf: "Addr". 4Mfc*Ufc 

TLB 121 307, ft!tft&it «Addr' ' 

Jbt "Addr". flat, #**^*%J5f &$4fJ ElKcode]A^48& 309 
A, *JJ8& CPU JilfcfiM******! Ks, 506 *i"fci*Mr*f 
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J*J&#fc4H**j 507. 
MMSII 101 «*4HHf«! Kp##^tt^>^#'>*^4B Kcode;** 
Kcode Kcode, Stf.*** 

il«:*hJSU 101 Ks T&*»*£ Kcode. 

Kcode #*WMr**ft#*.££J£, 

#3M^484t 511 **IM-3l4. 512 i$L&$thmft&% 510, 
*J^^4«^^^508^O«^» 509 ^^'&'fn^i4,*h. *Mfc& 
^£4*;Mll iMM-jML 512, SUt^tt* 112. 
AitJL4l-4«'^ TLB 121. 

l&it&lM****. 112**J&^#J/fl#4-TLB 121 
*L "Addr'" 503 #*t#;«, 

212 #ft& 503 *f&. ttftiUU!-#&*4#4*3UHfc. 

#<»f* LI #4-&3JMh 213, jRj&^*»4^4Mf. 

«fl«*m#Jfci*jMlfltt4Ufc IAT ( «tAJfcJML) jL^MJMfM. 
^ilfri^iatfa^i***.^!*^*-**^^**** 2000 - 35898 f 
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m%4- tlb 241 241 ^^^^#-^232 <*^4u#^*t 

307 - j - E «.* ^ *t, 4i^^4^^^#^ # ^ &#<^iMt. 
QJb, /fl/;FT&^i£4Mr*M»&$& Kcode #JL/8 

#f»J OS #iMr*$, .ft##>&Jfl^#3 1 #&#.&, a*, os*r«;& 
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&9t, ;fc$8#^#g^S9^tt/8r^g701.$.720. 

£ Pentium Pro ##t> jt##&^ii^# JiTX^&#>£ 
^##&###ifc&tf##;iMi*- TSS<4££- 

^^fHf- Pentium Pro # JL5t^3#^"^^.^ ^^*ki£S 

JKft* idt ( t«f**4L) rtJLt^&tf^t^Stt^fl^** 

Jt**#t*lt«, iS^a^ifl TSS tf\ 

TSS fl###iTXiJUJ*'J*tig£. AAL, #JJ|*tf 

^«lt**J**«JL*jfe4tE*IHtB#, S*t> fcTaJUtft* OS 
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§^4B Kcode #>M-T##e,### JiTxft^f ^. 

(2) x ft¥ttm.ft& + $fMZL&±.TiL$L 

£fr#j IDT A>a$t9J TSS, *'Jj&.&#^&##&#*'^> ##L##-t 
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TSS. 4BM5-£ U)T^0ftW#J TSS ft¥j#.trVL&tii$L$)*t 

Ja3.*&2L>kfr>fi-n TSS. £ £i£*f#i>LT*-*r&;££r>£^ 

is.*?. 

jtt^Lf'^^#*l*6^^^«.^^^ J P^^ 802 $. 825, 
i£3:4i9J TSS *L'b*>i*%<fi&&.l*&M--+ ; 5 : 826. tt^ttUiM- 
^*t^S# TSS ^fc£TSS*4>M#*.T, Jfc£^ 

J. CY3 ) E^. 827 830, A "f &*.*H1F*Uk*MWL 831. 

|L£, AflL E Kcode [Kr] 832, *]ft&ft&.ftJ s *t*%%® Kcode 

#«48#&#£#^jfc^JiT*#^& Kr >fc&; E^IKr] 833, 

^ SK.tmcssage] 834, xWfU&fl 4t«£ft&$$43 Ks. Jfc*K £ 
T OS ft0&4HHHlJL f"*4M 

m m £ & k * 801 

0 4 ^•^W^^*h3ffi#->G 131 ft JiTit/ir&*»&/Af*4Mi 254 & 

#lt#^^^it^^^r^. £ TSS ftfl^Jt'T *MM*fl# 
3* fe£ TSS •MUK.fcT 4SL*Ti»***»fc# 

*J»*Jk.TJUt*t. TSS 826 ft 

fli^Ht****** "0". ^Mf 7A *» 7B 
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X*)M*tmU#l&1f%® Kp &&.ft*8*M%%& Kcode JL#^ 

*^##4*^j^ifc*fc#iSi«'$*'ft Kcode, ^-^^^-i^ii. 
i±#)# Kcode J^^f E^JKrlT^lt^JiTiliB^^^ Kr. jfc*h i& 
i£*)m^m&$$& Ks#^ E^tKrl, #*taj£ 101 T^^#iTit 

4^itJlf&JtT*^&&T>a^#&l$, #JUI4:*tSI§ 101 *£iaii 
#Jfl Ks«F^-tTi:#4^r^^:*r^^#. 

101 Ks tf/U/^T&tf EK COde [Kr]*» E Kp [K>]>fti£JiTi:4§: 

S Kj [ message]. 

€T«^-#Mf]J8 Kcode ^^-tTit^^^J*. £«, 
^e>*»^F#S4Jt4^^^2LT, >?l-^.ei*»^ifc.i^^.#^i«i^^^ Kcode 

JL. ^^^-JLTiLBj-, 131 rttflft 

*ULft.&*JL 252 /ifiUaJt Kr, ##«4L«|JiT^#4i»4F/Af* 
-fx, 254. i&it-fctfSMMt Kr tf45fc&^&#*, Ji T*.4* 

254 #JiTil*»*. j»J&, «">ita E Keode [Kr] 832, i&i£l*l# 
MLMVlH*** Kcode ^^t^^^^^T^^ii. E Kcode [Kr) 832 
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$fc*j-RMMfc Kr EkpIKtJ 833. 

itX, 252 £^#>&tf*f-*. 

£»&:st**Lilr&-" ^t*. S*fc, *M 

&1*&m &&&&& ft® Z. «£>&fl&^,& 

**TJ&^»tflt-ff^*»#tt*L*t E M [Kr] 832 ***f&it^ 
^« 834 «*^&&fT?i»Mt&tt£&iMMlFtf4&4r, 

834 tf/^it^SpT. £.Li£*«+, 101 

Ks ( fci£ffl?-4MfJflWa*#*I Kcode #^i±^) 
E keo<te [Kr] 832i»lfftltM»«^ 834 4M.*HM# 
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TSS tik<hfr%W&£/X&£.fc%ftifa&, m 
•tit*******. 

<^#T j£ ^ t Iff m-fr#l *t«i±^> 

&*±&&JiT*4:^j£#iit*EBt, os tss 

4, *'JJB*tJ££tf#M$l Ks, #f-*b£#-iG 131 

l*i fi$#.*f>«^4fl 5 £rZ 257 S^ImcssageJ 834, j& j& 

255. 3B£&^jMfc8t, #f-*t;£.£iL 255 

§^iit^A^»t,54it*J^#^^^ fi#*J:T*M E Kp [Kr] 
833, JiTiL^4^^/^#->t 254 Kr. iL-^L, 

>f 3& 230 fi%L&*t&T&Jf'if4k.% ( EIP) 809 4Mr*^#J Kcode, 
jHt£«LX| SiT^M^NIMM. 251. JiT*«&*»*/*##X-254 
#J Kcode # EK. od JKrlJ8f^, ##4**3.341.4?* 

^3J^ it 257. #.#*^48^^£ X. 257 3Sri£ 

E K codJKr] 832 &&*^# Jm*tS&#) A MM Ks 

Kcode & tfy* ± . 

^&*4ja«*£.g*fc&ft4l Ka **ttft*ifctf**##ii.ii4Mr& 
^^^#^-tTi(:^ < | r ^^f-^^*'e^^^48 Kb ^#<ft*l. 

&ii#4*^#.#*^4« Kcode -tTX>ir&, *.T#£*it 

4U Kcode tf£#1^$JiT*4£&ttM&&lfc Kr i£#;fc&tf#Ut. 



PACE 40/102 * RCVD AT 5/24/2007 5:27:46 AM [Eastern Daylight Time] * 8VR:USPTO-EFXRF-3/16 * DN18:2738300 * CSID:<661) 460-1986 * DURATION (mm-ss): 60-52 



5/24/2007 3:27 AM FROM: (661) 460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 040 OF 101 



iHMj&^tt. #JiT**£&*J^>&Si:# 253, 
^it^#J^t^^"-^t£^*t«^t*t«#-X. 255 
#fi# TSS A*t^5'J^t*r^9*fe.M^^r#S. J^#, OS V* 

H 253 i?4Mf*l**lJ*4£-;6JlHfc.SM. 257 i£##4H£*t« 

^Itf^TSMi, £ Onodera ^6*35 2980576 -f B>M^J t&&T 
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&® io t, "R" 825- i gL^m Jit*a# -r^ar^^. 

"U" & 825- 2 TSS f TSS i£A££. TSS 

gjb43L%Li2L%% "o- ut, JW*f*Mr«* TSS TSS, 
i£3.3r "l" at, JN*NMH* tss Atf/' tss. &it>-t/5frifc#B£2t 
^^f"Xa#^^^t7^5i.5t^n^^T«##^&^ tss 
#£&TSS. 

%$L TSS TSS &#L$L TSS «t, *t«8H1f#. 

-fr^tt TSSK&&&¥t&fr$-&%JL : &$L%.$r. TSS 
it^t, J*^^J#**#Mfc&tf TSS ^^bir^R^ 801 ^^^^ 
***#ATmJt*&****, ###T TSS ^-gt^#^^ft^# 
H. TSS tiftJUt*t, *jUr4HMHfr**flt. MP 
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TLB 121 T«#J^^^ift.-ff^A^*t^ (^*t>&). 

4ft?J§«*JIMr4!fl, MM**-*** ft 

( "J§3t) #4Mf t, EFLAGS 

£it£*Mflt, ^«:*&^^^'144t^^J^^t3£# 101 ft 
^iiLXtf CYO J. CY3. t &fa*t& J t® 9 f%ifiifil%&. 717 

M- 720. £® 9 t, CYO J. CY2 ^sMf^, X^ife^ 

g CY3tf &»15r. 

3Mt# CY3 717 ifrfll^'ili^^tf 717 

-1 717~ 4 
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ftXLtiL&HjLtttL'b. *-FEL**fi*** &&&&&&& % $-{Li&W¥i> 
f*VX&fa®.ft&X,tk*tfr. £EMl717-5&JOU&;frM#. d?-fi£ 
7 ^r^^#EJ^ 717-5 M#LZ. 

CYO iffj CY1 JL CY3 

% cyo cyi *uttfE^-f:&Bt, 

CY0tf#«}£, *p&#&45L&^i£EJ£rttf CYI <$<ffe;fc*L, *fc*K 

717- 4 m?&ft&&fr$VL&T&&&Wilfr&T&*tTR 

l££jfc*UH>K ^-R^^Bt, ^Mf-& (*£T«# 

^jftg- CYO .£. CY3 M. 
@ 4 253 TLB 141 rtiOLtf £t*&£4>J& 

236. 

:?j£^:fl?4^&$&^>^*M&*t «Addr- St, 
&236(^B4), &#TLB141*]#]i£#Jfe*t "Addr" 
CY0£CY3#&Srt. iiit^J*], 4M&TLB141 
^^^^^gfejfc 212, &&m#4rAL LI &&&&&& 

1*1 #, SIT, #*fc*t*#*>&>&'&, TLB 141 

^*t*&# &&f&Vt 219, ^#^^.^#^AfJ^^ Ll£t#i§M£ 

E^jLit#>^^^*^^^ ( OS #*0, 

35 
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* : : : : * : •: : . 
: : :*::.♦• : 

101 (^J*»: m 4/^#iL##I&281). 

J£<i«r**;fc£/«f*. *J*b, tftiL&tim LI 114 Jt-tf- 

+***#. H^^H^^^it^^l^^*^^. rt***4MT 

ft******/*. 

fa%m.frZ-*Y«tfrfr («T#*1*5&: "**&^) firjL**i»#*.# 
*,4Mt&ft« & # 6* *** * 8S- ft tf**. 

flJi*******. *U8£*Mrt If* S 
4-iit^« 6*^49 *rui#*4B*:£tt* 
4Sja-fib#iR, 4MiM«**tt**«**.*£:*-*r£*.. *p£*f* 
1^^ 1024^, *j£# 128 j£. 

*/H***4c* 10****4-****. 

******#«}«* LI M4t# 213 *#J5&i£*##;te# 
giflJg'MMf*?}** 212 ##*4Mf*Ml#£I LI 

jfc*K ^#>|*^*-*i^^##^jSf^8t, ******* 
CYO J. CY3 # rt*JM***.* 253 *&*!)** TLB 141 

#*4l^j£#** 233. &m*m*t&mi$#.4f&4-#i$& 

J***iUM^ tf^*****^ 251 *ft#flt#«l*^4L*** 
** 233. 

J§*84-***frtf*3Mafl» ****** 218 4,**-**** 
***********- *#IJB ******* 219 *4l****lfe 
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tt£U&*f^:M-#^ LI It^^il^ 218 tf, #^48*fr|L#*#,^ 
ffc^ML'f 233 3f^&*MH*#. 

it 256 #^>V&*&^^^^^^^^-^#iR-flr^#^^i|.^t 

ift^^#^^4l3«Aft*^>ft4i^SCYO J.CY3 
****** -2 J!^*-2#i&**Js|#**&- 

^jfc^^t. **t**Jil?-fl^#**r*+*&**tS* 

*-l #&gj*&#^4H&^*#?i/fJitf\ 

(1) *tf. flJ8*#^*#*»**&-tT* 

(2) 
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$i**rtt— #3H»Mft*tS2! 101 Ifcfctf it* 

Jbit (2) ^i&#-##*£*bg, *P4M£&<HM.##4^##£J# 
*^tf#*.T, J^^>j5L4g*J^Bt*.#Xtin ("egate") *S4H8ffi# 

S 11 ^A*L^cin4§4-#^^^i±^. #*t«H 101 
*NMfJ5ttfc#flUM#**t«JM. 131^#1T^^##-¥-^0 251 

J£601). ^^«j^^^*:<i.JSt^^lH- (#4*601 t# NO), 
fe^^^ltifi.it^^'fc^ n Bt4Mr#^4^£A^n H ( -cgatc" ) 
#4* (## 602). *»*otA^n#4s at*.***--****, QibT 

J£602 t# YES) 8t> JttiMfjfc#4% 

^^JiPj^f^A^an^^ <iM* 602 t# NO) 

^$il>4r (##) 603). :M^NM>M£4% 3fcJ--&& 

m&, $*ifiiH9+*4MMM8+ (## 603 t# no) *t 

JL**#**A«, *M******W*+-<#*«» YES) 
J. CY3 t ^ 717 J. 720 ft 6$ & ^ ( CY3 ft 717 - 5 ). 
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TAMPER RESISTANT MICROPROCESSOR 

BACKGROUND OF THE INVENTION 

1. I'ield of the Invention 

The present invention relates to a microprocessor that can 
prevenl illegal alternation of execution codes anil processing 
target data under a mult i- task program execution environ- 
ment. 

2. Description of the Background Art 

In recent years, the performance of a microprocessor has 
improved considerably such that the microprocessor is 
capable of realizing reproduction and editing of video 
images and audio sounds, in addition to die conventional 
functions such as computations and graphics. Ity imple- 
menting such a microprocessor in a system designed for 
end-user (which will be referred to as PC hereafter), the 
users can enjoy various video images and audio sounds on 
monitors. Also, by combing the function for reproducing 
video images and audio sounds with the computational 
power of the PC, the applicability to games or the like can 
be improved. Such a microprocessor is not designed for any 
specific hardware and can be implemented in a variety of 
hardwares so that there is an advantage that the users who 
already possess PCs can enjoy reproduction and editing of 
video images and audio sounds inexpensively by simply 
changing a microprocessor for executing programs. 

In the case of handling video images and audio sounds on 
PCs, there arises a problem of a protection of the copyright 
of original images or music. In the MD or digital video 
playback devices, unlimited copies can be prevented by 
implementing a mechanism for preventing the illegal copy- 
ing in these devices in advance. It is rather rare to attempt 
the illegal copying by disassembling and altering these 
devices, and even if such devices are made, there is a 
worldwide trend for prohibiting the manufacturing and sales 
of devices altered for the purpose of illegal copying by laws, 
(consequently, damages due to the hardware based illegal 
copying are not very serious. 

However, image data and music data are actually pro- 
cessed on the PC by the software rather than the hardware, 
and the end-user can freely alter the software on the PC. 
Namely, if the user has some level of knowledge, it is quite 
feasible to carry out the illegal copying by analyzing pro- 
grams and rewriting the executable software. In addition, 
there is a problem that the software for illegal copying so 
produced can be spread very quickly through media such as 
networks, unlike the hardware. 

In order to resolve these problems, conventionally a PC 
software to be used for reproducing copyright protected 
contents such as commercial films or music has employed a 
technique for preventing analysis and alternation by encrypt- 
ing the software. This technique is known as a tamper 
resistant software (see David Aucsmith ct al., "Tamper 
Resistant Software: An Implementation**, Proceedings of the 
1996 Intel Software Developer's Conference). 

The tamper resistant software technique is also effective 
in preventing illegal copying of valuable information includ- 
ing not only video ami audio data bul also text and know- 
how that is to be provided to a user through the PC, and 
protecting know-how contained in the PC software itself 
from analysis. 

However, the tamper resistant software technique is a 
technique which makes analysis using tools such as tie as- 
sembler or debugger difficult by encrypting a portion of the 
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program that requires protection before the execution of the 
program starts, decrypting that portion immediately before 
executing that portion and encrypting that portion again 
immediately after the execution of that portion is completed. 

5 Consequently, as along as the program is executable by a 
processor, it is always possible to analyze the program by 
carrying out tlie analysis step by step starting from the start 
of the program. 

This fact has been an obstacle for a copyright owner to 

10 provide copyright protected contents tn a system for repro- 
ducing video and audio data using the PC. 

The other tamper resistant software applications are also 
vulnerable in this regard, and this fact has been an obstacle 
to a sophisticated information server through the PC and an 
application of a program containing know-how of an enter- 
prise or individual to the PC. 

'Itiese are problems that equally apply to the software 
protection in general, but in addition, the PC is an open 
platform so that there is also a problem of an attack by 

2f> altering the operating system (OS) which is intended u> he 
a basis of the system's software conJigu ration. Namely, a 
skilled and malicious user can alter the OS of his own PC to 
invalidate or analyze the copyright protection mechanisms 
incorporated in application programs by utilizing privileges 

25 given to the OS. 

The current OS realizes the management of resources 
under the control of the computer and the arbitration of their 
uses by utilizing a privileged operation function with respecl 
to a memory and an execution control function provided in 

3Q CPU. Targels of the management include the conventional 
targets such as devices, CPU and memory resources, as well 
as QoS (Quality of Service) at network or application level. 
Nevertheless, the basics of the resource management are still 
allocations of resources necessary for the execution of a 

35 program. Namely, an allocation of a CPU time to the 
execution of that program and an allocation of a memory 
space necessary for the execution are the besics of the 
resource management. The control of the other devices, 
network and application QoS is realized by controlling the 

4() execution nf a program that makes accesses to these 
resources (by allocating a CPU time and a memory space). 

The OS has privileges for carrying out the CPU lime 
allocation and the memory space allocation. Namely, the OS 
has a privilege for interrupting and restarting an application 

45 program a I arbitrary liming and a privilege to move a content 
of a memory space allocated to an application program to a 
memory of a different hierarchical level at arbitrary timing, 
in order to carry out the CPU time allocation. The latter 
privilege is also used tor the purpose of providing a flat 

5o memory space to the appli cation by concealing (normally) 
hierarchical memory systems with different access speeds 
a ixl capacities from the application. 

Using these two privileges, the OS can interrupt an 
execution slate of the application and lake a snap shot of it 

55 at arbitrary timing, and restart it after making a copy of it or 
rewriting it. This function can also be used as a tool for 
analyzing secrets hidden in the application. 

Tn order to prevent an analysis of the application on a 
computer, there arc several known techniques for encrypting 

60 programs or data (Rampson, U.S. Pat. No. 4,847,902; 
Hartman, U.S. Pal. No. 5,224,166; Davis, U.S. Pal. No. 
5,806,706; Takahashi ct at, U.S. Pat. No. 5,825,878; Bucr ct 
al., U.S. Pat. No. 6,003,117; Japanese Patent Application 
Laid Open No. 11-282667 (1999), for example). However, 

65 these known techniques do not account for the protection of 
the program operation and the data secrecy from the above 
described privileged operations of the OS. 
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The conventional technique based on the x86 architecture 
of Intel Corporation (llartman, U.S. Fat. No. 5,224406) is 
a technique for storing the execution codes and data by 
encrypting ihem by using a prescribed encryption key Kx. 
The encryption key Kx is given in a form of l^jKx] which 
is encrypted by using a public key Kp corresponding to a 
secret key Ks embedded in a processor. Consequently, only 
the processor that knows Ks can decrypt the eucrypted 
execution codes on a memory. The encryption key Kx is 
stored in a register inside the processor called a segment 
register. 

Using this mechanism, it is possible to protect the secrecy 
of the program codes from the user to some extent by 
encrypting the codes. Also, it becomes cryptograph ica II y 
difficult for a person who docs not know the encryption key 
Kx of the codes to alter the codes according to his intention 
or newly produce codes that arc executable when decrypted 
by using the encryption key Kx. 

However, the system employing this technique has a 
drawback in thai the analysis of the program becomes 
possible by utilizing a privilege of the OS called a context 
switching, without decrypting the encrypted execution 
codes. 

More spcciiically, when the execution of the program is 
stopped by the interruption or when the program voluntarily 
calls up a software interruption command due to the system 
call up, the OS carries out the context switching for the 
purpose of the execution of the other program. l*be context 
switching is an operation to store an execution state (which 
will be referred to as a context information hereafter) of the 
program indicating a set of register values at that point into 
a memory, and restoring the context information of another 
program stored in the memory in advance into the registers. 

HG. 15 shows the conventional context, storing format 
used in the x86 processor. All the contents of the registers 
used by the application are contained here. The context 
information of the interrupt ed program is restored into the 
registers when the program is restarted. The context switch- 
ing is an indispe usable function in order to operate a 
plurality of programs in parallel. In the conventional 
technique, the OS can read the register values at a time of the 
context switching, so that it is possible to guess most of the 
operations made by the programs if not all, according to how 
the execution state of that program has changed. 

In addition, by controlling a timing at which the exception 
occurs by setting of a timer or the like, it is possible to carry 
out this processing at arbitrary execution point of the pro- 
gram. Apart from the interruption of the execution and the 
analysis, it is also possible to rewrite the register information 
by malicious intention. The rewriting of the registers can not 
only change the operation of the program but also make the 
program analysis easier. The OS can store arbitrary state of 
the application so that it is possible to analyze the operation 
of the program by rewriting the register values and operating 
the program repeatedly. In addition to the above described 
functions, the processor has a debugging support function 
such as a stepwise execution, and there has been a problem 
that the OS can analyze the application by utilizing ail these 
functions. 

As far as data are concerned, U.S. Pal. No. 5,224,166 
asserts that the program can access the encrypted data only 
by the program execution using the encrypted code segment. 
Here, there is a problem that the encrypted data can be freely 
read by the encrypted program by using arbitrary key, 
regardless of the encryption key by which the program is 
encrypted, even when there are programs encrypted by using 
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mutually diilerent encryption keys. This conventional tech- 
nique does not account for the case where the OS and the 
application have their own secrets independently and the 
secret of I he application is lo be protected from the OS or a 
5 plurality of program providers have their own secrets sepa- 
rately. 

Of course, it is possible to separate memory spaces among 
the applications and to prohibit accesses to a system memory 
by the applications by the protection function provided in 

10 the virtual memory mechanism even in the existing proces- 
sor. However, as long as the virtual memory mechanism is 
under the management of the OS, the protection of the secret 
of the application cannot rely on the function under the 
management of the OS. This is because the OS can access 

15 data by ignoring the protection mechanism, and this privi- 
lege is indispensable in providing the virtual memory func- 
tion as described above. 

As another conventional technique, Japanese Patent 
Application Laid Open No. 11-282667 (1999) discloses a 

20 technique of a secret memory provided inside the CPU in 
order to store the secret information of the application. In 
this technique, a prescribed reference value is required in 
order to access data in ihe secret memory. However, this 

^ reference falls lo disclose how lo protect Ihe reference value 

25 for obtaining the access right with respect to the secret data 
from a plurality of programs operating in Ihe same CPU, 
especially the OS. 

Also, in U.S. Pat. No. 5,123,045, Ostrovsky ct al. disclose 

50 a system that presupposes the use of sub -processors having 
unique secret keys corresponding to the applications, in 
which the operation of the program cannot he guessed from 
the access pattern by which these sub-processors are access- 
ing programs placed on a main memory. This is based on a 

35 mechanism for carrying out random memory accesses by 
converting the instruction system for carrying out operations 
with respect to the memory into another instruction system 
different from that. 

However, this technique requires different sub -processors 

4h for different applications so that it requires a high cost, and 
the implementation and fast realization of the compiler and 
processor hardware for processing such instruction system 
arc expected to be very difficult as they arc quite diffcrcnt 
from those of the currently used processors. Besides that, in 

45 this type of processor, it becomes difficult to comprehend 
correspondences among the dala contents and the operations 
even when the data and the operations of the actually 
opera led codes are observed and traced so that the debug- 
ging or the program becomes very difficult, and therefore 

5l> this technique has many practical problems, compared with 
Ihe other conventional techniques described above in which 
the program codes and Ihe dala are simply encrypted, such 
as those of U.S. Pat. No. 5,224,166 and Japanese Patent 
Application Laid Open No. 11-282667. 

SUMMARY OF IWi INVENTION 

Therefore the liist object of the present invention is lo 
provide a microprocessor capable of surely protecting both 
Ihe internally executed algorithm and the data state inside a 
60 memory region liom illegal analysis in the multi-task envi- 
ronment even when the execution is stopped by the inter- 
ruption. 

This hist object is motivated by Ihe facl that the conven- 
tional techniques are capable of protecting values of the 
65 program codes but arc incapable of preventing the analysis 
utilizing the interruption of the program execution by the 
exception occurrence or the debugging function. Thus the 
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present invention aims at providing a microprocessor In the case of interrupting the execution of some program 

capable of surely protecting the codes even at a time of the among the plurality of programs, a context information 

program execution interruption, in which this protection is enc ^puunAlecryption unit that provides an execution stale 

compatible with both the execution control function and Ihe writing function encrypts information indicating a slate of 

memory management function required by the current OS. 5 execution up to an interrupted point of the program to be 

The second object of the present invention is to provide a interrupted and the code encryption key of this program, by 

microprocessor in which each program can secure a cor- using an encryption key unique to the microprocessor, and 

rectly readable/writable data region independently even writes the encrypted information as a context information 

when a plurality of programs encrypted by using different into a memory external of the microprocessor 

encryption keys are to Ix; executed. ti> in ihe case of restarting the interrupted program, a veri- 

'ihis second object is motivated by the fact that Ihe ttcation unit that provides a restarting function decrypts the 

conventional technique of U.S. Pat. No. 5,224,166 only encrypted context information by using a unique decryption 

provides a simple protection in which accesses to the key corresponding to the unique encryption key of the 

encrypted data region by non-encrypted codes are microprocessor, and restarts the execution of the program 

prohibited, and it has been impossible for a plurality of 15 only when the code encryption key contained in the 

programs to protect their own secrets independently. Thus decrypted context information (that is the code encryption 

the present invention also alms at providing a microproces- key of the program scheduled to be restarted) coincides with 

sor which has a data region for protecting secret of each the original code encryption key of the interrupted program, 

application from the OS when a plurality of applications I n addition, in order to achieve the second and third 

have their respective (encrypted) secrets. 20 objects, the microprocessor also has a memory region (a 

'Hie third object of the present invention is to provide a register, lor example) inside the processor that cannot be 

microprocessor capable of protecting the protected attributes read out to the external, and an encrypted attribute writing 

(i.e., encrypted attributed) of the above described data region unit (an instruction TLB, for example) for writing encrypted 

from illegal rewriting by the OS. ^ attributes lor the processing target data of the program into 

'lliis third object is motivated by the fact that the con- 2> tnc internal memory. 'Ihe encrypted attributes include the 

ventional technique of U.S. Fat. No. 5.224,1 66 has a draw- «ode encryption of the program and an encryption target 

back in that the OS can rewrite the encrypted attributes set address range, for example). At least a part of these 

in the segment register hy interrupting the execution of the encrypted attributes is contained in the context information, 

program using the context switching. Once the program is ^ The context information encryption/decryption unit also 

put in a state where data are written in a form of plaintext by ~ attaches a signature based on a secret information unique to 

rewriting the encrypted attributes, data will not written into the microprocessor to the context information. In this case, 

a memory without encryption, liven if the application the verification unit judges whether the signature contained 

checks the segment register value at some timing, the result in the decrypted context information coincides with the 

is the same if the register value is rewritten after that. Thus 35 original signature based on the secret information unique to 

the present invention also aims at providing a microproces- " the microprocessor or not, and restarts the interrupted pro- 

sor provided with a mechanism which is capable of prohib- gram only when tbey coincide. 

iling such an alteration or delecting such an alteration and l n ihis way, the stale of execution up to an interrupted 

taking appropriate measure against such an alteration. point of the 'encrypted program is stored in the external 

'the fourth object of the present invention is to provide a 4() memory as the context information, while the protected 

microprocessor capable of protecting the encrypted attributes of the execution processing target data are stored 

attributes from the so called chosen-plaintext attack of the in tlw register inside the processor, so that the illegal 

cryptoanalysis theory, in which the program can use arbi- alteration of the data can be prevented, 

trary value as the data encryption key. i n order to achieve the fourth object, the second aspect of 

The Uflh object of the present invention is to provide a 45 the present invention has the following features. 'Ihe micro- 
microprocessor provided with a mechanism for the program processor that is formed as a single chip or a single package 
debugging and feedback. Namely, the present invention maintains a unique secret key therein that cannot be readout 
aims at providing a microprocessor in which the debugging to the external. The Ijus interface unit that provides a reading 
of the program is carried out in plaintext and the feedback function reads the code encryption key that is encrypted by 
of information on defects is provided to a program code 5() using a unique public key of the microprocessor correspond- 
provider (program vendor) in the case of the execution ing to the secret key in advance from a memory external of 
failure, the microprocessor. A key decryption unit that provides a 

The sixth object of the present invention is to provide a first decryption function decrypts the read out code encryp- 

microprocessor capable of achieving the first to liflh objects tion key by using the secret key of the microprocessor. The 

described above in a form that realizes both a low cost and 55 bus interface unit also reads out a plurality of programs 

a high performance. encrypted by respectively different code encryption keys 

In order to achieve the first object, the first aspect of the from an external memory. A code decryption unit that 

present invention has the following features. The micmpro- provides a second decryption function decrypts these plu- 

ccssor which is formed as a single chip or a single package rality of read out programs. The instruction execution unit 

reads a plurality of programs encrypted by using code ao executes these plurality of decrypted programs, 

encryption keys that are different for different programs, In the case of interrupting the execution of some program 

from a memory' (a main memory, for example) external of among the plurality of programs, a random number gencra- 

the microprocessor through a bus interface unit that provides lion mechanism generates a random number as a temporary 

a reading function. Adecryp lion unii decrypts these plurality key. The context information encryption/decryption unit 

of read out programs by using respectively corresponding OS writes a first value obtained by encrypting information 

decryption keys, and an instruction execution unit executes indicating the execution stale of the program to be inler- 

these plurality of decrypted programs. rupted by using the random number, a second value obtained 
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by encrypting this random number by using I be code encryp- 
tion key of the program to be interrupted, and a third value 
obtained by encrypting ihis random number by using the 
secret key of ihe microprocessor, into the external memory 
as the context information. 

In the case of restarting the execution of the program, the 
context information encryption/decryption unit reads out the 
context information from the external memory, decrypts the 
random number of the third value contained in die context 
information by using the secret key, and decrypts the execu- 
tion state information contained in the context information 
by using the decrypted random number. At the same time, 
the random number of the second value contained in the 
context information is decrypted by using the code encryp- 
tion key of the program scheduled to be restarted. The 
random number obtained by decrypting the second value by 
using the code encryption key and the random number 
obtained by decrypting the third value by using the secret 
key are compared with Ihe temporary key, and the execution 
of the program is restarted only when they coincide. 

In this way, the context information indicating the slate of 
execution up to an interrupted point is encrypted by using 
Ihe random number that Is generated at each occasion of the 
storing, and the signature using the secret key unique to the 
microprocessor is attached, so that the context information 
can be stored in the external memory safely. 

In order to achieve the first to third and sixth objects, the 
third aspect of the present invention has the following 
features, 'ITie microprocessor that is formed as a single chip 
or a single package reads out a plurality of programs 
encrypted by using the encryption keys that arc different for 
different programs, and executes them. 'ITiis microprocessor 
has an internal memory (a register, for example) that cannot 
be read out to the external, and stores the encrypted 
attributes for data to be referred from each program (that is 
the processing target data) and the encrypted attribute speci- 
fying information into the register. The context information 
encryption/decryption unit writes a related information that 
is related to the encrypted attribute specifying information 
stored in the register and containing a signature unique to the 
microprocessor, into the external memory. A protection table 
management, unit reads the related information from Ihe 
external memory according to an address oi the data to be 
referred by the program. The verification unil verities the 
signature contained in the read oul related information by 
using the secret key, and permits the data referring by the 
program according to the encrypted attribute specifying 
information and Ihe read oul related information only when 
that signature coinckles with Ihe signature unique to the 
microp rocessor. 

In this configuration, the information to be stored in the 
internal register is attactied with the signature and stored into 
the externa] memory, and only the necessary portion is read 
nut to the microprocessor. 'Hie signature is verified at a time 
of reading, so that the safety against the substitution can be 
secured. Even when the number of programs to be handled 
is increased and the number of the encrypted attributes is 
increased, there is no need to expand the memory region 
inside the microprocessor so that a cost can be reduced. 

According to one aspect of the present invention there is 
provided a microprocessor having a unique secret key and a 
unique public key corresponding to the unique secret key 
that cannot be read out to external, comprising: a reading 
unit configured to read out a plurality of programs encrypted 
by using different execution code encryption keys from an 
external memory; a decryption unit configured to decrypt the 
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plurality of programs read out by the reading unil by using 
respective decryption keys; an execution unit configured to 
execute the plurality of programs decrypted by the decryp- 
tion unit; a context information saving unit conligured to 
save a context information for one program whose execution 
is to be interrupted, into the external memory or a context 
information memory provided inside the microprocessor, 
the context information containing information indicating an 
execution state of the one program and the execution code 
encryption key of die one program; and a restart unit 
configured to restart an execution of the one program by 
reading out the context information from the external 
memory or the context information memory, and recovering 
the execution state of the one program from the context 
information. 

Other features and advantages of the present invention 
will become apparent from the following description taken 
in conjunction with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram showing a system incorporating 
a microprocessor according to the lirsl embodiment of the 
present invention. 

FIG. 2 is a diagram showing an entire memory space used 
in the microprocessor of FIG. 1. 

FIG. 3 is a block diagram showing a basic configuration 
of a microprocessor according to the second embodiment of 
the present invention. 

FIG. 4 is a block diagram showing a detailed configura- 
tion of the microprocessor of FIG. 3. 

FIG. 5 is a diagram snowing a page directory and a page 
table formal used in Ihe microprocessor of FIG. 3. 

FIG. 6 is a page table and a key entry format used in the 
microprocessor of FIG. 3. 

FIGS. 7A and 7B arc diagrams respectively showing 
exemplary data before and after interleaving used in the 
microprocessor of FIG. 3. 

FIG. 8 is a diagram showing a How of information Cor a 
code decryption processing to be carried out in the micro- 
processor of FIG. 3. 

FIG. 9 is a diagram showing a CPU register used in the 
microprocessor of FIG. 3. 

FIG. tO is a diagram showing a context saving format 
used in the microprocessor of FIG. 3. 

FIG. 11 is a flow chart for a protection domain switching 
procedure to be carried out in the microprocessor of FIG. 3. 

FIG. 12 is a diagram showing a flow of information for 
dala encryption and decryption processing to be carried oul 
in the microprocessor of FIG. 3. 

FIG. 13 is a diagram conceptually showing a process of 
execution control within a protection domain by the micro- 
processor of I'ltJ. 3. 

FIG. 14 is a diagram conceptually showing a process of 
call up and branching from a protection domain to a non- 
protection domain by the microprocessor of FIG. 3. 

FIG. 15 is a diagram showing a context saving format 
used in a conventional processor. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

Referring now to FIG. 1 and FIG. 2, the first embodiment 
of a tamper resistant microprocessor according to the present 
invention will be described in detail. 



88/102 * RCVD AT 3/24/2007 5:27:40 AM [Eastern Daylight Time] • 8VR:USPTO-EFXRF-3/10 * DNI8:2738300 * C8ID:(061) 460-1980 * DURATION <mm-ss):60-S2 



5/24/2007 3:27 AM FROM: (661) 460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 088 OF 101 



US 6,983,374 B2 



10 



This lirsl embodiment is directed lo a microprocessor for 
protecting secrets ol Ihe program instructions (execution 
codes) and the context information (execution state) which 
are to lie provided in encrypted forms by using the pubtic 
key (asymmetric key) cryptosystem, lrom a user of a target 
system. 

FIG. I shows the target system, where a microprocessor 
2101 of the target, system is connected to a main memory 
2103 through a bus 2102. 

As showu in FIG. 1, in this embodiment, the micropro- 
cessor 2101 has a register file 2111, an instruction execution 
unit 2112, an instruction buffer 2113, a public key descrip- 
tion function 2114, a secret key register 2115, a common key 
decryption function 2116, a common key register 2117, a 
HIU (Bus Interface Unit) 2118, a register buffer 2119, a 
public key register 2120, an encryption function 2121, a 
decryption function 2122, and a previous common key 
register 2123, which will be described in further detail 
below. 

First, the terms to be used in the following description will 
be described, and the operation of general operating system 
(OS) and application programs will be described briefly. A 
program is a set of data and a series of machine language 
instructions written for some specific purpose. The OS is a 
program for managing resources of the system, and the 
application is a program to be operated under the resource 
management of the OS. This embodiment presupposes the 
multi-task system, so that a plurality of application programs 
will be operated in a quasi parallel manner under the 
management of the OS. Each one of these programs that arc 
operated in the quasi parallel manner will be referred to as 
a process. There are cases where a set or processes for 
executing the processes for the same purpose will be 
referred to as a task. 

The instructions and data of the application program arc 
usually stored in files on a secondary memory. They arc 
arranged on a memory by a loader of the OS aud executed 
as a process. The execution of the program is often inter- 
rupted by an exception (or interruption) processing of the 
processor caused by input/output or the like. A program for 
carrying out the exception processing will be referred lo as 
an exception handler. The exception handler is usually set up 
by the OS. The OS can process an exception request from 
the hardware, interrupt the operation of the application and 
restart or start the operation of another application at arbi- 
trary liming. The interruptions of the process include tran- 
sitory cases where the execution of the original process is 
restarted without switching processes after the execution of 
I be exception handler, and cases requiring Ihe process 
switching. Examples of the former include a simple timer 
increment and examples of the latter include a virtual 
memory processing due to tlie page exception. 

The object of this embodiment is to protect the program 
instructions (execution codes) and the execution state from 
a user of the target system who can freely read the main 
memory of the target system and freely alter the OS program 
or application programs. 

The basic features for achieving this object arc the access 
control with respect to the information storage inside the 
processor and the encry ption based on the information listed 
below. 

(1) A common key Kx selected by a program creator, The 
application program will be encrypted by the secret key 
cryptosystem using this key. 

(2) A pair of a unique public key Kp and a unique secret 
key Ks provided inside the processor. The public key can be 
read out by the program by using instructions. 



25 



50 



(3) An encryption key information in which the common 
key Kx of the program is encrypted by using the public key 
Kp of the processor. 

[Execution of a Plaintext Program] 

This processor is capable of executing a program with 
coexisting plaintext instructions and encrypted instructions 
which is placed on the main memory. Here the operation 
inside the CPU for the execution of a plaintext program will 
be described with references to FIG. 1 and a memory 
arrangement shown in FIG. 2. 

FIG. 2 shows an entire memory space 2201, in which 
programs are placed in regions 2202 to 2204 on the main 
memory, where regions 2202 and 2204 are plaintext regions 
while a region 2203 is an encrypted region. A region 2205 
stores a key information lo be used in decrypting the region 
2203. 

The execution of the program is started as the control is 
shifted from the OS by an instruction for jump to a top X of 
the program or the like. The instruction execution unit 2112 
executes tlie instruction for jump to X, and outputs an 
address of the instruction to the 111 U 21 18, Hie content of the 
address X is read through the bus 2102, sent from the BIU 
2118 to the instruction buffer 2113, and sent to the instruc- 
tion execution unit 2112 where the instruction is executed. 
Its operation result is reflected in the register file 2111 . When 
the operation target is reading/writing with respect to an 
address on the main memory 2103, its address value is sent 
to the "RIU 2118, that address is outputted from the BTU 2118 
to the bus 2102, and data reading/writing with respect to the 
memory is carried out. 

The instruction buffer 2113 has a capacity for storing two 
or more instructions, and the instructions corresponding to a 
size of the instruction buffer 2113 are collectively read out 
lrom the main memory 2103. 

[Execution of Lncrypted Instructions] 
Next, the case of executing an encrypted instruction will 
be described. The processor of this embodiment has two 
states including the execution of plaintext instructions and 
the execution of encrypted instructions, and two types of 
instructions for controlling these states arc provided. One is 
an encryption execution start instruction for making a tran- 
sition from the execution of plaintext instructions to the 
execution of encrypted instructions, and another is a plain- 
text return instruction for making a reverse transition. 
[Encryption Execution Start Instruction] 
The encryption execution start instruction is denoted by 
the following mnemonic "execenc" and takes one operand: 

execenc keyaddr 

where "kcyaddr" indicates an address where the key infor- 
mation to be used in decrypting tlie subsequent instructions 
is stored. 

55 [Key Information] 

Here, the key information and the program encryption 
will be described. The encrypted region 2203 comprises a 
sequence of encrypted instructions. The instructions arc 
subdivided into blocks in units of a prefetch queue size and 

60 encrypted by the secret key algorithm such as DES (Data 
Encryption Standard) algorithm. A key to be used in this 
encryption will be denoted as Kx hereafter. Since the secret 
key algorithm is used, the same key Kx is also used for the 
decryption. 

65 If this Kx is placed on the main memory in a plaintext 
lorm, a user who can operates the OS of the target system 
can easily read it and analyze the encrypted program. In 



51) 



89/102 * RCVO AT 5/24/2007 5:27:40 AM [Eastern Daytlght TlmeJ * 8VR:USPTO-€FXRF-3/16 * DM8:2738300 • CSID:(661) 460-1980 ■ DURATION <mm-ss):60-52 



5/24/2007 3:27 AM FROM: <661) 460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 089 OF 101 



US 6,95 

11 

order lo prevent ibis, E^fKx] obtained by encrypting Kx by 
using the public key Kp of the processor will be placed in the 
region 2205 of the memory. A top address of this region is 
indicated by "keyaddr". 

It is cryplographically (computationally) impossible to 
decrypt Kx from E X/? [Kx] unless one knows Ks correspond- 
ing to the public key Kp. < Consequently, tlie secret of the 
program will never l^e leaked to the user as long as the user 
of the target system docs not know Ks. This Ks is stored in 
a form that cannot be read out from the external, inside the 
processor. 'Hie processor can decrypt Kx internally without 
allowing the user lo learn about it, and the processor can also 
decrypt the encrypted program by using Kx and execute it. 

In the following, the encryption execution start instruction 
and the subsequent the execution of lhe encrypted instruc- 
tion will he described in detail. Uy the execution of the Jump 
instruction in a region 2207, the control is shifted to the 
encryption execution start instruction at the address "start". 
At tlie address indicated by the operand "keyaddr" of the 
encryption execution start instruction, the content of the 
specified region 2205 is read out to the instruction execution 
unit 21 12 of the processor as data, 'lhe instruction execution 
unit 2112 sends this data E^JKx] to the public key decryp- 
tion function 2114. 1 "he public key decryption function 2114 
takes out Kx by decrypting li^Kx] by using a secret key Ks 
unique to the processor which is stored in the secret key 
register 2115, and stores it in tlie common key register 2117. 
Then, the processor enters the encrypted instruction execu- 
tion state. 

Here, it is assumed that the processor package is manu- 
factured such that the contents stored in lhe secret key 
register 2115 and the common key register 2117 cannot be 
read out to the external by the program or the debugger of 
the processor chip. 

By executing the encryption execution start instruction, 
the key to be used in decrypting the subsequent instructions 
is stored into the common key register 2117, and the 
processor is entered into the encrypted instruction execution 
state. When the processor is in the encrypted instruction 
execution stale, the instructions read from the main memory 
2103 are sent from the BIU 2118 lo a common key decryp- 
tion function 2116, decrypted by using the key information 
stored in the common key regisLer 2117 and stored into the 
instruction buffer 2113. 

In this embodiment, the program encrypted by using the 
key Kx which is stored in the region 2204 next lo the 
encryption execution start instruction will be decrypted, 
stored in the instruction buller 2113, and executed. The 
reading is carried out in units of a size of the instruction 
buffer 2113. 1'IG. 2 shows an exemplary' case where the size 
of the instruction buffer 2113 is 64 bits, and four instructions 
of 16 bits size each are collectively read out to the instruc- 
tion buffer 2113, 

[Plaintext Return Instruction] 

'I lie processor in the encrypted instruction execution state 
returns to the plaintext instruction execution state by the 
execution of the plaintext return instruction. 

The plaintext return instruction is denoted by the follow- 
ing mnemonic: 

exiteac 

which lakes no operand. By execution of this instruction, lhe 
reading of the instructions from the main memory 2103 is 
carried out through a path that does not pass through the 
common key decryption function 2116, and the processor 
returns to the execution of the plaintext instructions. 

Note thai when the encryption execution start instruction 
is executed again during the execution of the encrypted 
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instruction, the instruction decryption key is changed such 
that the subsequent instructions are decrypted by using a 
different key and executed. 

[C Context Saving and Attack Against It] 

5 Next, the safe saving of the execution slate in order lo 
protect the secret of the application program in the multi- 
task environment will be described. 

The register file 2111 of this processor has 32 general 
purpose registers (K0 to R31). R31 is used as a program 

1(> counter. ITic contents of tlie general purpose registers are 
stored in the register flic 2111. When the exception occurs 
during the execution of the encrypted program as described 
above, the contents of the register flic 2111 arc moved to the 
register buffer 21 1 9, and the contents of the register file 2111 

i 5 are initialized by a prescribed value or a random number. 
Then, the value of the common key used for decryption of 
the encrypted program is stored in the previous common key 
register 2123. Only when these two types of initialization are 
completed, the control is shifted to the exception handler and 

20 the instructions of the exception handler are executed. The 
instructions of the exception handier arc assumed to be 
non-encrypted. 

By this register file initialization function, in the processor 
of this embodiment, the reading of the register values 

25 processed by the encrypted program by the exception han- 
dler program is prevented even in the case where the control 
is shifted to lhe exception handler as an exception occurs 
during lhe execution of lhe encrypted program. At the same 
time, the contents of the register file 2111 are saved in the 

30 register buffer 2119, and there is a function for recovering 
the register buller contents and ibr storing them into the 
memory as will be described below, so as to enable the 
restart of the encrypted program. 

Now, tlie register contents stored in tlie register buffer 

35 2119 cannot be read out directly from the non-encrypted 
program of the exception liandler. *Hie non-encrypted pro- 
gram of the exception liandler is only allowed to perform the 
following two operations wilh respect lo Lhe register buffer 
2119. 

4(> (1) Recover the register buffer contents and restart the 
execution of the original encrypted program. 

(2) lincrypting the register buffer contents and store them 
into the memory, and execute the OS program or another 
encrypted program. 

45 In the case of ( I), when the exception handler processing 
such as the increment of the counter is finished, the excep- 
tion handler issued a "cent" (continue) instruction. When the 
"cent" instruction is executed, the contents of the register 
buffer 2119 and tlie previous common key register 2123 are 

5h recovered in the register file 2111 and the common key 
register 2117, respectively. The program counter is con- 
tained in the register file 2111, so that the execution of the 
encrypted program is restarted by setting the control back to 
a point where the execution of the encrypted program was 

55 interrupted. For lhe decryption of lhe encrypted program 
after the restart, the value recovered from the previous 
common key register 2123 will be used. Similarly as the 
contents of the register buller 2119, lhe program cannot 
rewrite the previous common key register 2123 explicitly. 

G0 The case of (2) corresponds lo lhe case where lhe process 
switching occurs at a timing of lhe execution of lhe excep- 
tion handler. In Ihis case, the exception handler or a task 
dispatcher of lhe processor issues a "savereg" (save register) 
instruction for saving the contents of the register buffer 2119 

05 into lhe memory. This "savereg" instruction is denoted by 
the following mnemonic: 

savcrcg dent 
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anil lakes one operand ''tltjsl" indica ling an address to which The original program can be restarted by recovering the 

the register buffer contents are to be saved. execution slate in the registers. On the other hand, programs 

When the "savereg" instruction is issued, the contents of other lhan the program lhal has generated the execution 
the register buller 2119 and the previous common key slate, that is programs encrypted by encxyplion keys difler- 
register 2123 are encrypted by the encryption function 2121 5 ent from that of the original program or plaintext programs, 
by using the public key Kp of the processor stored in the will be referred Jo as other programs, 
public key register 2 120, and saves at an address on the main 'ttie illegal accesses or the attacks with respect to the 
memory 2103 specified by u dest**' through the BIU 2118. The execution state generated by some original program are 
main memory 2103 is outside the processor so that it has a denned as an act of directly analyzing tlie execution state on 
possibility of being accessed by the user, but these contents in the memory by some method independently from the opera- 
are encrypted by the public key of the processor so that the tion of the processor by a third party who does not know the 
user who does not know the secret key of the processor encryption key of the original program, or an act of analyz- 
cannot learn the register buffer contents. ing the execution state or rewriting the execution state to a 

After the register buffer contents are saved, the OS desired value by a third party utilizing the other programs 

activates another encrypted program by the method 15 operated on the same processor. 

described above. If another encrypted program is activated In the microprocessor of this embodiment, the execution 

without saving the register huffer contents, the register state is protected by the following three types of mccha- 

buffer contents would be rewritten to those of another nisms so as to prevent the illegal accesses utilizing the 

encrypted program when the execution of another encrypted access to the memory external of the processor or the other 

program is interrupted, and it would become impossible to 2f) programs. 

restart the original encrypted program as the register buflfcr First, in this embodiment, the register information is 

coutcnts for the original encrypted program arc lost. saved in the register buffer 2119 when the execution of the 

Here, the number of the register buffer is assumed to be encrypted program is interrupted. Then, the register buffer 

one, but it is also possible to provide a plurality of register 2119 and the previous common key register 2123 cannot be 

buffers so as to be able to deal with multiple exceptions. 25 accessed by any methods other than that using the "revrreg'* 

[Recovery Procedure] instruction or the "savcrcg" instruction, so that the other 

Next a procedure for recovering the saved execution state programs cannot read their contents freely, 

will be described. In the conventional processor, the register contents ai a 

At a time of restarting the interrupted application, a time of the exception occurrence can be freely read by the 

dispatcher of the OS issues a "revrreg" (recover register) 30 exception handler program. In the microprocessor of this 

instruction. This "revrreg" instruction is denoted by the embodiment, the register contents are saved in the register 

following mnemonic: buffer 2119 so as to prohibit the reading from the other 

revneg aikiT programs, and ihe instruction for saving the register buller 

contents by encrypting them by using the public key of the 

and lakes one operand "addr" indicating an address at which 35 processor is provided so as lo prevent the peeping of the 

the execution slate is saved. execution stale saved on the memory by the user of the 

When the "revrreg" instruction is issued, the encrypted system, 

execution stale inlonna tion is taken out from the address of The second attacking method includes a method for 

the memory specified by "addr" by Ihe BIU 2118 of the reading values of the registers contained in Ihe execution 

processor, decrypted by using the secret key Ks of the 4i> state by placing die instruction of some other program 

processor by the decryption function 2122, and Ihe register known lo Ihe all acker a I Ihe same memory address as the 

information is recovered in the register file 2111 while the original program such that this other program reads the 

program decryption key is recovered in the common key encrypted execution state. 

register 2117. Wben Ihe recovery is completed, the exeeu- In Ihe rrricroprocessor of this embodiment, Ihe encrypted 

tion of the interrupted program is restarted from a point 45 execution state contains the program encryption key, and 

indicated by the program counter. At this point, the key Kx this key will be used in decrypting the encrypted program at 

recovered from the execution state information will be used a time of restart llecause of this mechanism, even when the 

for decryption nf the encrypted program. other program other than the original program attempts to 

The detail of the saving and the recovery of the execution read the execution state, the key for docs not match so that 

state in relation tt> the interruption of the encrypted program 5i> the program cannot decrypted correctly and the program 

due to exception has been described above. As already cannot be executed according to the intention of the attacker, 

described above, the encrypted programs arc safe against Thus the second attacking method is impossible in the 

attacks from die user who can operate the OS of the target microprocessor of this embodiment 

system. This effect cannot be realized by simply encrypting the 

Next, the safety of the above described scheme against 55 execution state itself by the public key of the processor, but 

two types of attacks against the execution state will be can be realized by encrypting the decryption key of the 

described. original program and the execution state integrally. 

[Attacks Against the Execution State] Note that, in order to maximize this effect, values of the 

There arc two types of attacks against the execution state registers (R0 to R31) and the common key Kx should 

that is generated in a process of the application execution. 60 preferably be stored in the identical cipher block at a time of 

One is the peeping of the saved execution stale by an Ihe encryption using the public key. 

attacker, and the other is the rewriting of the execution state [Data Protection] 

lo a desired value by an a Hacker. In the microprocessor of this embodiment, the encryption 

Here, the following two terms for expressing the illegal of the data is not accounted, bui it should be apparent lo 

accesses to the execution state will be defined. First, the 65 those skilled in the art that it is possible to add the data 

program lhal has generated the execution stale will be encryption function to Ihe microprocessor of ihis embodi- 

referred to as an original program for thai execution stale. menl similarly as the data encryption in the microprocessor 
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for supporting the virtual memory which will be described 
in Ihe second embodiment. 

Referring now to J'Ki. 3 to I '1(3. 14, the second embodi- 
ment of a tamper resistant microprocessor according to the 
present invention will be described in detail. 

In this embodiment, the microprocessor according to the 
present invention will be descrited for an exemplary case of 
using an architecture based on the widely used lAmtium Pro 
microprocessor of the Intel corporation, but the present 
invention is not limited to this particular architecture. In the 
following description, features specific to the Pentium Pro 
microprocessor architecture will be noted and applications 
to the other architectures will be mentioned. 

Note that the Pentium Pro architecture distinguishes three 
types of addresses in the address space including physical 
addresses, linear addresses and logical addresses, but the 
linear addresses in the Pentium terminology will also be 
referred to as logical addresses in this embodiment. 

In the following description, the protection implies the 
protection of secrets of applications (that is the protection by 
encryption), unless otherwise stated, Consequently, the pro- 
tection in this embodiment should be clearly distinguished 
from the ordinarily used concept of protection, that is the 
prevention of disturbances on the operations of the other 
applications due to the operation of some application. 
However, in the present invention, it is assumed that the 
operation protection mechanism in the ordinary sense is of 
course provided by the OS (although the description of this 
aspect will be omitted as il is unrelated lo the present 
invention), in parallel to the protection of secrets of appli- 
cations according to the present invention. 

Also, in the following description, a machine language 
instructions that arc executable by the processor will be 
referred to as instructions, and a plurality of instructions will 
be collectively referred to as an execution code or an 
instruction stream. A key used in encrypting I be instruction 
stream will be referred lo as (he execution code encryption 
key. 

Also, in the following description, the secret protection 
mechanism will be described as protecting secrets of appli- 
cations under the management of the OS, lmt this mecha- 
nism can also be utilized as a mechanism for protecting the 
OS itself from alteration or analysis. 

IK 1. 3 shows a basic configuration of the microprocessor 
according lo Ihis embodiment, and FIG. 4 shows a detailed 
configuration of the microprocessor shown in PKJ. 3. 

'Ihe microprocessor 101 has a processor core 111, an 
instruction TLH flable lookup Huffer) 121, an exception 
processing unit 131, a data '11 -II ("fable I .ookup Uuffcr) 141, 
a secondary cache 152. The processor core 111 includes a bus 
interface unit 112, a code and data encryption/decryption 
processing unit 113, a primary cache 114, and an instruction 
execution unit 115. 

'Hie instruction execution unit 115 further includes an 
instruction fetch/decode unit 214, an instruction tabic 215, 
an instruction execution switching unit 216, and an instruc- 
tion execution completing unit 217. 

The exception processing unit 131 further includes a 
register file 253, a context information encryption/ 
decryption unit 254, an exception processing unit 255, a 
secret protection violation detection unit 256, and an execu- 
tion code encryption key and signature verification unit 257. 

The infraction TLB 121 further includes a page tabic 
builer 230, an execution code decryption key table bufLer 
231, and a key decryption unit 232. The data TLB 141 
further includes a protection table management unit 233. 

The microprocessor 101 has a key storage region 241 for 
storing a public key Kp and a secret key Ks which are unique 
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to this microprocessor. Now, consider the case of purchasing 
a desired execution program A from some program vendor 
and executing il. The program vendor encrypts the program 
A by using a common execution code encryption key Kcode 
(I^wJAD before supplying the execution program A, and 
sends the common key Kcode used for encryption in a form 
encrypted by using the public key Kp of the microprocessor 
101 (L^[Kcode]) to the microprocessor 101. 'Ihe micro- 
processor 101 is a multi-task processor which processes not 
only this execution program A but also a plurality of 
different encrypted programs in a quasi parallel manner (that 
is by allowing interruptions). Also, the microprocessor 101 
obviously executes not only the encrypted programs but also 
plaintext programs. 

'Ihe microprocessor 101 reads out a plurality of programs 
encrypted by using different execution code encryption keys 
from a main memory 281 external of the microprocessor 101 
through the bus interface unit (reading function) 112. The 
execution code decryption unit 212 decrypts these plurality 
of read out programs by using respectively corresponding 
decryption keys, and the instruction execution unit 115 
executes these plurality of decrypted programs. 

In the case of interrupting the execution of some program, 
the context information cncryptiorvdccryption unit 254 of 
the exception processing unit 131 encrypts information 
indicating the execution state up to an interrupted point of 
the program to be interrupted and the code encryption key of 
Ihis program by using the public key of the microprocessor 
101, and writes the encrypted information into the main 
memory 281 as Ihe context information. 

In the case of restarting Ihe interrupted program, the 
execution code encryption key and signature verification 
unit 257 decrypts the encrypted context information by 
using the secret key of Ihe microprocessor 101, verifies 
35 whether the execution code encryption key conLained in the 
decrypted context information (that is the execution code 
eocryplionb key of the program scheduled to be restarted) 
coincides with the original execution code encryption key of 
Ihe interrupted program, and restarts the execution of the 
40 program only when they coincide. 

Here, before describing the detailed coniigu ration and 
functions of the microprocessor 101, the processing proce- 
dure for the execution of plaintext instructions and the 
execution of encrypted programs by the microprocessor 101 
45 will be outlined. 

When the microprocessor 101 executes a plaintext 
instruction, the instruction fetch/decode unit 214 attempts to 
read the content of an address indicated by a program 
counter (not shown) from an Ll instruction cache 213. If the 
5i) content of the specified address is cached, the instruction is 
read out from the LI instruction cache 213, sent to the 
instruction table 215, and executed. The instruction tabic 

215 is capable of executing a plurality of instructions in 
parallel, and requests reading of data necessary' for carrying 

55 out the execution to the instruction execution switching unit 

216 and receives the data. When the instructions arc 
executed in parallel and their execution results arc 
determined, the execution results arc sent to the instruction 
execution completing unit 217. The instruction execution 

60 completing unit 217 writes the execution result into the 
register file 253 when the operation target is a register inside 
the microprocessor 101, or into an Ll data cache 218 when 
the operation target is a memory. 

The content of the Ll data cache 218 is cached once again 
by an L2 cache 152 under the control of the bus interface 
unit 112, and written into Ihe main memory 281. Here, the 
virtual memory mechanism is used, where a correspondence 
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belween the logical memory address and the physical 
memory address is defined by a page table shown in i'IG. 5. 

The page table is a da la structure placed on the physical 
memory. The data TLB 141 actually carries out a conversion 
from the logical address to the physical address, and at the 3 
same lime manages the data cache. The dala TLB 141 reads 
a necessary portion of the table according to a top address of 
the table indicated by a register inside the microprocessor 
101, and carries out the operation for converting the logical 
address into the physical address. At this point, only the in 
necessary portion of the page table is read out to a page table 
buffer 234 according to the logical address to be accessed, 
rather tlian reading out the entire page table on the memory 
to the data TLB 141. 

The basic cache operation is stable regardless of whether 15 
the instructions of the program arc encrypted or not. Namely, 
a part of the page table is read out to the instruction TLB 
121, and the address conversion is carried out according to 
the definition contained therein. The bus interface unit 112 
reads instructions from the main memory 281 or the 1,2 2t> 
cache 152, and instructions are stored in the LI instruction 
cache 213. The reading of instructions out to the LI instruc- 
tion cache 213 is carried out in units of a line formed by a 
plurality of words, which enables a faster access than the 
reading in word units. 25 

The address conversion utilizing the same page table on 
the physical memory is also carried out for the processing 
target data of the executed instructions, and the execution of 
the conversion is carried out at the data TLB 141 as 
described above. 30 

The operation up to I his point is basically the same as the 
general cache memory operation. 

Next, the operation in the case of executing an encrypted 
program will be described. In this embodiment, it is assumed 
that the execution codes for which secrets are to be protected 35 
are all encrypted, and the encrypted execution codes will 
also be referred to as protected codes. In addition, a range of 
the protection by the same encryption key will be referred to 
as a protection domain. Namely, a set of codes protected by 
the same encryption key is belonging to ttie same domain, 40 
and codes protected by dLUe rent encryption keys are belong- 
ing to different protection domains. 

First, the execution codes of a program encrypted by the 
secret key scheme block cipher algorithm are stored on the 
main memory 281. A method for loading the encrypted 45 
program transmitted from a program vendor will he men- 
tioned below. 

A cipher block size of the execution codes can l>e any 
value as long as two to the power of the block size coincides 
with a line size that is a unit for reading/writing with respect 5i> 
to the cache memory. 1 lowever, if the block size is so small 
that a block length coincides with an instruction length, there 
arises a possibility for analyzing the instruction easily by 
recording a correspondence between encrypted data and a 
predictable portion of the instruction such as a top portion of 55 
a sub-routine. For this reason, in this embodiment, the 
blocks arc interleaved such that there is a mutual depen- 
dency among data in the blocks and ihc encrypted block 
contains information on a plurality of instruction words or 
operands. In this way, it is made difficult to set a corrcspon- 60 
dence between the instruction and the encrypted block. 

FIGS. 7Aand 7B show an example of the interleaving that 
can be used in this embodiment. In this example, it is 
assumed that the line size of the cache is 32 bytes and the 
block size is 64 bits (i.e., 8 bytes). As shown in FIG. 7 A, 65 
before the interleaving, one word is ibrmed by 4 bytes, so 
that a word A is formed by 4 bytes of AO to A3. One line is 



ibrmed by 8 words of A to H. When this is interleaved in 
units of 8 bytes corresponding to the block size of 64 bits, 
as shown in I'IG. 7H, AO, B0, . . . , 1 10 are arranged in the 
first block corresponding to word 0 and word 1, Al, HI, 

HI are arranged in the next block, and so on. 

An attack can be made more difficult by setting a length 
of a region to be interleaved longer, hut the interleaving nf 
a region with a length longer than the line size makes the 
processing more complicated and lowers the processing 
speed because the decryption/encryption of one cache line 
would depend on reading/writing of another line. 'ITius it is 
preferable to set a range for interleaving within a range of 
the cache line size. 

Here the method for interleaving data of blocks is used 
such that there is a mutual dependency among data in a 
plurality of blocks contained in the cache line, but it is also 
possible to use the other method for generating a depen- 
dency among data blocks, such as the CBC (Cipher Block 
Chaining) mode of the block cipher. 

The decryption key Kcode (which will also be referred to 
as the encryption key hereafter even in the case of decryp- 
tion because the encryption key and the decryption key arc 
identical in the secret key algorithm) of the encrypted 
execution codes is determined according to the page table. 
FIG. 5 and FIG. 6 show a tabic structure of the conversion 
from the logical address to the physical address. 

A logical address 301 of the program counter indicates 
some value, and a directory 302 and a tabic 303 constituting 
its upper bits specify a page entry' 307-j. The page entry 
307-j contains a key entry* ID 307-/-A; and a key entry 309-w 
to be used for decryption of this page is determined in a key 
table 309 according to this ID. The physical address of the 
key tabic 309 is specified by a key table control register 308 
inside the microprocessor. 

In this cu niigu ration, the ID of the key entry is set in the 
page entry rather than selling the key information directly, 
such that the key information in a large size is shared among 
a plurality of pages so as to save a limited size of a memory 
region on the instruction TLB 121. 

In further detail, the page table and key table information 
is stored into the instruction TLB 121 as follows. Only 
portions necessary for the access to the memory is read out 
from the page tables 306, 307 and 311 to the page table 
buffer 230, and from the key table 309 to tlie execution code 
decryption key table buffer 231. 

In a state of being stored on the main memory, a reference 
counter of the key object 309-m which is an element of the 
key table 309 indicates the number of page tables that refer 
to this key object. In a state where the key olijcct is read out 
to the execution code decryption key table buffer 231, this 
reference counter indicates the number of page tables that 
refer to this key object and that are read out to the page table 
buffer 230. This reference counter will be used for judge- 
ment at a time of deleting any unnecessary key object from 
the execution code decryption key tabic buffer 231. 

One of the features of this embodiment is that the key 
table entry has a fixed length but a key length used in each 
table is made variable in order to be able to deal with a 
higher cryptoanalytic power, and specified at a key size 
region of the key tabic. It implies that the secret key Ks 
unique to the microprocessor 101 is fixed but the length of 
Kcode to be used for encryption and decryption of the 
program can be changed by the specification of the key 
entry. In order to specify a position of the variable length 
key, the key entry 309-w has a field 309-/W-4 pointing to the 
key entry, which indicates an address of the key object 310. 

In the key object region 310, the execution code encryp- 
tion key Kcode is stored in a form Ej^Kcode] encrypted by 
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the public key algorithm using ihe public key Kp of the 
microprocessor 101. In order to encrypl data safely io Ihe 
public key algorithm, a large redundancy is necessary, so 
tli at a length of the encrypted data becomes longer than a 
length of 1he original data. Here, lengths of Ks ami Kp are 
set to be 1024 bits, a length of Kcodc is set to be 64 bits, 
which is extended to 256 bits by padding, and L[ Kcode] is 
encrypted in a length of 1024 bits and stored in the key 
object region 310. When Kcodc is so long that it cannot be 
stored in 1024 bits, it is divided into a plurality of blocks of 
1024 bits size each and stored. 

FIG. 8 summarizes the information llow in the code 
decryption. A program counter 501 indicates an address 
"Addr" on an encrypted code region 502 on a logical address 
space 502. The logical address "Addr** is converted into the 
physical address "Addr*" according lo the page table 307 
that is read out to the instruction TLB 121. At the same time, 
the encrypted code decryption key EfKcode] is taken nut 
from the key table 309, decrypted by using the secret key Ks 
provided in the CPU at a decryption function 506, and stored 
into a current code decryption key memory unit 507. The 
common key Kcodc for the code encryption is encrypted by 
using the public key Kp of the microprocessor 101 by the 
program vendor, and supplied along with the program 
encrypted by using Kcodc, so that the user who docs not 
know the secret key Ks of the microprocessor 101 cannot 
know Kcodc. 

After the program execution codes arc encrypted by using 
Kcode and shipped, the program vendor keeps and manages 
Kcodc safely such that its secret will not be leaked to a third 
party. 

An entire key table 511 and an entire page table 512 are 
placed in a physical memory 510, and their addresses arc 
specified by a key table register 508 aud a CR3 register 509 
respectively. From the contents of these entire tables, only 
necessary portions are cached into the instruction TLB 121 
through the bus interface unit. 112. 

Now, when a content 503 corresponding to the physical 
address "Addr 1 ** as converted by the instruction TLB 121 is 
read out by the bus interlace unit 112, this page is encrypted 
so that it is decrypted at a code decryption function 212. 'Ihe 
reading is carried oul in units of the cache line size, and after 
the decryption in block units, the inverse processing of the 
interleaving described above is carried out. Ihe decrypted 
result is stored in the LI instruction cache 213, and executed 
as an instruction. 

Here, the method for loading the encrypted program and 
the relocation of the encrypted program will be described. 
For the loading of a program into tlie memory, there is a 
method in which a program loader changes an address value 
contained in the execution codes of the program in order to 
deal with a change of an address for loading the program, but 
this method is not applicable to the encrypted program. 
I Iowever, the relocation of the encrypted program is pos- 
sible by using a method of realizing the relocation without 
directly rewriting the execution codes by utilizing a table 
called Jump table or I AT (Import Address Table). 

Further details of the loading procedure and the relocation 
for general programs can be found, for example, in T,. W. 
Allen ct al., "Program Loading in OSF/1, USENIX winter, 
1991, and the loading method and the relocation for the 
encrypted program can be lound in Japanese Patent Appli- 
cation No. 2000-35898 of the applicants. 

It is possible to protect the execution codes placed on Ihe 
memory external of the processor by the above described 
method for decrypting the encrypted execution codes of the 
program, reading them out to the cache memory inside the 
processor, and executing them. 
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However, the execution codes that are decrypted into 
plaintext can exist inside the processor. Even if it is impos- 
sible to read them out directly from outside the processor, 
there is a possibility for the plaintext program to be read out 

5 and analyzed by the other programs that are operated in the 
same processor. 

In this embodiment, the key decryption processing by 
using the secret key 241 and the key decryption unit 232 of 
the instruction TLB 121 is not carried out at a time of data 
reacting into an LI data cache 218. When the data reading is 
carried out with respect to an encrypted page for which an 
encryption Hag 307-J-E is set to "V in the page table, either 
non-decrypted original data or data of a prescribed value "0" 
will be read out, or else an exception occurs such that the 
normally decrypted data cannot be read oul. Note that when 

15 Ihe encrypt ion Hag 307-j-E in the page table is rewritten, the 
decrypted content of the corresponding instruction cache 
will he invalidated. 

By this mechanism, it becomes impossible for the other 
programs (including Ihe own program) lo read Ihe execution 

20 codes of the e ncrypted program as data, and decrypt them by 
utilizing functions of the processor. 

Also, the other programs cannot explicitly read data in the 
instruction cache, so that the safety of the execution codes 
can be guaranteed. The safety of the data will be described 

25 below. 

Because the encrypted execution codes can be executed in 
this way, in the microprocessor of this embodiment, by 
selecting the encryption algorithm and parameters 
appropriately, it can be made cryptographically impossible 

30 lor a party who does not know the true value of the ex ecu lion 
code encryption key Kcode to analyze the operation of the 
program by dc-asscmbling the execution codes. 

Thus the user cannot know the Irue value of the execution 
code encryption key Kcode, and it can be made crypto - 

35 graphically impossible for the user lo make an alteration 
according lo Ihe user's intention such as illegal copying of 
Ihe contents handled by the application by altering a pari of 
Ihe encrypted program. 

Next, another feature of Ihe microprocessor of this 

40 embodiment regarding the encryption, signature and its 
veriUcation for the context al a time of interrupting the 
program execution under the multi-task environment will be 
described. 

The execution of the program under the mulli-lask envi- 
45 ronment is often interrupted by the exception. Normally, 
when the execution is interrupted, a state in the processor is 
saved on the memory, and then the original state is recovered 
at a time of restarting the execution of that program later on. 
In this way, it becomes possible to cxcculc a plurality of 
50 programs in a quasi parallel manner and accept the inter- 
ruption processing. This information on the state at a time of 
the interruption is called the context information, the context 
information contains information on registers used by the 
application, and in some cases, information on registers that 
55 arc not explicitly used by the application is also contained in 
addition. 

In the conventional processor, when the interruption 
occurs during the execution of sonic program, the control is 
shifted to the execution codes of the OS while the register 

60 state of the application is maintained, so that the OS can 
check the register stale of that program Lo guess whal 
instructions were executed, or alter the context information 
maintained in a plaintext form during the interruption so as 
to change the operation of the program after the restart of Ihe 

05 execution of that program. 

In view of this fact, in this embodiment, when the 
interruption occurs during the execution of the protected 
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codes, Ihe context of the execution immediately before that By ibe above feature (1), il is possible to maintain the 

is encrypted and saved while all the application registers are safety of the context information while enabling the analysis 

either encrypted or initialized, and a signature made by the of the context information by the program vendor. The fact 

processor is attached to the context information. '.Tie signa- foal the program vendor has a right to analyze the context 

lure is veriUed at a lime of recovery from Ihe interruption, 5 information is important in order to maintain the quality of 

to check whether the signature is proper or not. When the )he piogram by analyzing causes of any trouble that 

improper ^signature is detected, the recovery is stopped so ^ urrcd according to a condition by which the program is 

mat the illegal alteration of the context information bv the use ^ ^ me user 

user can be prevented At this point, the encryption target ' - llie above feaUire (2) Ls effective in preventing a situation 

registers arc user registers 701 to 720 shown m FIG. 9. <(V . 4 . , v \. 4 , . * * , . . 

IT the Pentium Pro architecture, there is a hardware ,n where ™ a " acl < er H>p1'« ™ n ™ generated by the 

mechanism for assisting the saving of the context inibrma- ex ^ cuUoa of 3 P'W™ A to encrypted program li 

tion of the process into the memory and its recovery. A and rcslam th , & P™*™ » from a kn ?™ * ute Mv f d m tnc 

region for saviag the state is called TSS (Task State context in order to analyze secrets of the data or the codes 

Segment). In the following, an exemplary case of applying contained in the program 11 or alter the operation of the 

Ihe present invention to this mechanism will be described, 15 program IS. Ibis function is also a prerequisite for the data 

but the present invention is uot limited to the Pentium Pro protection to be described below in which each one of a 

architecture, and equally applicable to any processor archi- plurality of applications maintains own encrypted data 

lectures in general. exclusively and independently from the others. 

The saving of Ihe context information in conjunction with By the above feature (3), it is possible to strictly eliminate 

the exception occurrence takes place in the following case. 2f> the alteration of the context information utilizing an occa- 

When the exception occurs, an entry corresponding to the sion of the restart of the program. 

interrupuon cause is read out from a table called IDT The reason for providing such a function is that simply 

(Interrupt Descriptive Table) for describing ihe exception encrypting the context information according to the secret 

processing, and the processing described there is executed, information of the processor can protect the context infor- 

When tlx ; entry indicates a TSS, the context information 25 matkm from thc allcration acc0K iing to the intention of the 

saved in the indicated TSS is recovered to the processor. On Rilsxckct9 but it is impossiblc to climate a possibility for the 

the other hand, the context ^formation of the process that random altcratioo of {bQ ^ ^ m ^ fCStarl f 

has been executed up until then .s saved m the l%S region |h<J am f wi(h random erroK< 

specified by a task register 725 at that point. T <T« • V "^ ^«^- 

Using this automatic context saving mechanism, it is aft * * c . foUo ™e> *f context saving and venncahon 

possible to save thc entire state of thc application including 50 me,n< ^ ^corpora Ung the above three features will be 

the program counter and the stack pointer, and detect any described m further delad. 

alteration at a time of the recovery by verifying the signa- <Contcxt Saving Proccssing> 

tare. However, when this automatic context saving is used, FIG< 10 sht>v « d» context saving formal in this embodi- 

apart from thc fact that a large overhead will be caused by menl conceplually. It is assumed that the interruption due to 

the context switching, there arises a problem lhal il is 35 ,htJ hardware or software related cause has occurred during 

impossible to carry out Ihe interruption processing without Ihe execution of Lhe protected program. If the IDT enLry 

using thc TSS. corresponding to the interruption indicates a TSS, the execu- 

In order to reduce the overhead due to the interruption lion slate of the program up to lhal point is encrypted, and 

processing, or lo maintain the compatibility with Ihe existing saved as the context inlbrmalion in a TSS indicated by lhe 

programs, it is preferable not to use tlie automatic context 4(> current task register 725 (rather than the indicated TSS 

saving mechanism, bul in such a case, the program counter itself). Then, Lhe execution stale saved in the TSS indicated 

will be saved on the stack and cannot be a target of the by the IDT entry is recovered to the p«>cessor. If the IDT 

verification, so that it can be a target of the alteration by the entry does not indicate a TSS, only the encryption or the 

malicious OS. These two cases shoukl preferably used in initialization of the current registers is carried out, and Ihe 

their proper ways according to thc purpose. I or this reason, 45 saving into the ISS docs not takes place. Of course the 

the microprocessor of this embodiment adopts the automatic restart of that program becomes impossible in that case, 

context saving with respect to the protected (encrypted) Note however that the system registers including a part of 

execution codes as a result of attaching more importance to the flag registers and the task register arc excluded from a 

thc safety. Thc registers to be automatically saved may not target of thc encryption or the initialization of the registers 

necessarily be all registers. 5i> for the sake of continuation of the OS operation. 

Ibe context saving and recovery processing in this The con tents of the context shown in IK i. 10 are actually 

embodiment has the following three major features. interleaved, encrypted in block units and stored in the 

(1) Ibe contents of the saved context can be decrypted memory. Mere the information items to be saved will he 
only by thc microprocessor that generated thc context and a described first. At a top, stack pointers and user registers 802 
person who knows thc encryption key Kcodc of thc program 55 to 825 corresponding to respective privileged modes arc 
that generated thc context. provided, and one word 826 indicating a TSS size and thc 

(2) In thc case where thc program protected by some prcscncc/abscncc of thc encryption is placed next. This 
execution code encryption key X is interrupted and its indicates whether thc TSS in which thc processor is saved is 
context is saved, its restart processing cannot be applied to encrypted or not. Even in thc case where thc TSS is 
the restart of a non-protcctcd program or a program GO encrypted, this region will be maintained in a plaintext form 
encrypted by another execution code encryption key Y. without being encrypted. 

Namely, thc program to be recovered from thc interruption After that, data encryption control register (CYO to CY3) 

cannot be replaced by another program at a lime of the regions 827 lo 830 lhal are added for the purpose of the data 

restart. protection are placed, and a padding 831 for adjusting the 

(3) Thc recovery of thc altered context is prohibited. 65 size to thc block length is placed. Finally, a value E Kcodtf [Ki] 
Namely, if the saved context is altered, lhal context will not 832 in which a key Kr used in encrypting Ihe context is 
be recovered. encrypted by the secret key algorithm using the execution 
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code encryption key Kcode, a value E^£Kr] 833 in which 
tlic key Kr used in encrypting the context is encrypted by 
using the public key Kp of the processor, and a signature 
S^Jmessage] 834 using the secret key Ks of the processor 
with respect to them all are placed. Ako, a region 801 for a 
link to Ihe previous task that maintains a call up relationship 
among tasks is saved in a plaintext form in order to enable 
the task scheduling by the OS. 

'lliese execution code encryption and signature generation 
are carried out by the context information encryption/ 
decryption unit 254 in the exception processing unit 131 
shown in MCi. 4, which is based on a function independent 
from the encryption of the processing target data of the 
execution codes. At a rime of saving the context information 
in the TSS, even if some encryption is specified in an address 
of the TSS by the other data encryption function, this 
specification is ignored and the context information is saved 
in a state in which the context is encrypted. 'Iliis is because 
the encryption attributes of the data encryption function arc 
specific to each protected (encrypted) program so that the 
restart of some program cannot depend on that function. 

In encrypting the context, a word in the TSS size region 
826 to be recorded in a plaintext form is replaced to a value 
"0". Then, the interleaving similar to that explained with 
references to FIGS. 7Aand 7B is applied, and the context is 
encrypted. At this point, the padding 831 is set to a size that 
enables the appropriate interleaving in accordance with the 
encryption block size. 

Here, the reason for not encrypting the register values 
directly by the public key Kp of the processor or the 
execution code encryption key Kcode is to enable Lhe 
analysis of the encrypted context by both the program 
vendor and the processor while prohibiting the decryption of 
Ihe context by Lhe user. 

The program vendor knows lhe execution code encryption 
key Kcode so that lhe program vendor can obtain the 
encryption key Kr of the context by decrypting Ej^^JTCr] 
832 by using Kcode. Also, the microprocessor 101 can 
obtain the encryption key Kr of the context by decrypting 
lijcyXKr] 833 by using the own secret key Ks. Namely, the 
program vendor can analyze Ihe trouble by decrypting Ihe 
context information without knowing tlie secret key of the 
microprocessor of the user, and the microprocessor 101 
itself can restart the execution by decrypting Ihe context 
information by using the own secret key Ks. 'trie user who 
does not have either key cannot decrypt the saved context 
information. Also, the user who does not know the secret key 
Ks of the microprocessor 101 cannot forge the context 
information and the signature S A .,[mcssagc] with respect to 
iW[Kr] and Li^Kr]. 

In order to enable the mutually independent decryption of 
the context information by the program vendor and the 
microprocessor, it is also possible to consider a method for 
encrypting the context information directly by using Kcode. 
However, in the case where the register state is already 
known, there is a possibility for the known-plaintext attack 
against the execution code encryption key Kcode. Namely, 
when a value of the key for encrypting data is fixed, the 
following problem arises. Consider the case of executing a 
program which reads a data input by the user and writes it 
into a working memory temporarily by encrypting it. The 
data that arc to be encrypted and written into the working 
memory can be ascertained by monitoring the memory, so 
that the user can repeat the input many times by changing the 
input value and obtain the corresponding encrypted data. 
This implies that the chosen-plaintext attack of the eryp- 
toanalysis theory is possible. 



13,374 B2 
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The known -plaintext attack is not fatal to Ihe secret key 
algorithm, but it is still preferable to avoid that. 1'or this 
reason, a random number Kr is generated at a random 
number generation mechanism 252 of the exception pro- 

5 cessiug unit 131 at each occasion of the context saving, and 
supplied to Lhe context information eocrypiion/'decryplion 
unit 254. The context information encrypt ion/decryption 
unit 254 encrypts the context by the secret key algorithm 
using the random number Kr. Ilien, the value li 3K , W(fa [Kr] 

in 832 in which the random number Kr is encrypted by the 
same secret key algorithm using the execution code encryp- 
tion key Kcode is attached. I"he value L^Kr] 833 is 
obtained by encrypting the random numter Kr by the public 
key algorithm using the public key Kp of the microproces- 

15 sor. 

Here, the random number is generated by the random 
number generation mechanism 252. Tn the case where the 
program is encrypted, normally there is no change in the 
program codes so that the corresponding plaintext codes 

20 cannot be acquired illegally as long as the operation is not 
analyzed. In this case, there is a need to carry out the 
"ciphcrtcxt-only attack** in order to cryptoanalyzc, so that it 
is very difficult to find the encryption key. However, in the 
case where the data entered by the user arc to be stored into 

25 the memory by encrypting them, the user can freely select 
the input data. For this reason, it is possible for the user to 
make the "chosen-plaintext attack" against the encryption 
key which is far more eilective than Ihe "ciphertexi-only 
attack". 

30 Against Ihe chosen-plaintext attack, it is possible to adopt 
a measure for enlarging lhe search space by adding a random 
number called "salt" into the plaintext to be protected. 
However, it is very tedious to implement the saving into the 
memory in a form where Ihe "sail" random number is 

35 incorporated in every data at the application prograrrmiing 
level, so that this can cause the lowering of Ihe programming 
efficiency and performance. 

For this reason, the random number generation mecha- 
nism 252 generates the random number (encryption key) lor 

40 encrypting the context at each occasion of the context 
saving. As lhe encryption key can be selected arbitrarily, 
there is also an effect that the safe communications between 
processes or between processes and devices can be realized 
faster. This is because Ihe speed Cur encrypting data by the 

45 hardware at a time of the memory access is far slower in 
general than the speed for encrypting data by the software. 

On the contrary, if the value of the encryption key for the 
data region is limited to a presented value such as that 
identical to the execution code encryption key for example, 

50 then it becomes impossible to use the data encryption 
function of the processor for the other programs encrypted 
by the other encryption keys or the sharing of the encrypted 
data with the devices, so that it becomes impossible to take 
advantage of the fast hardware encryption function provided 

55 in the processor. 

Note that the decryption of the encrypted random number 
Ej&o<fe[Kr] 832 that takes place at a time of the restart and 
the generation of the signature 834 can he based on any 
algorithm and secret information as long as a condition that 

60 they can be carried out only by the microprocessor 101 is 
satisfied. In the above example, the secret key Ks unique to 
the microprocessor 101 (which is also used for the decryp- 
tion of Ihe execution code encryption key Kcode) is used lor 
both, but respectively dillerenl values may be used for these 

65 purposes. 

Also, Ihe saved context contains a Hag indicating the 
presence/absence of the encryption, so that the encrypted 



PACE 96/102 • RCVD AT 5/24/2007 5:27:46 AM [Eastern Daylight Time] * 8VR:U8PTO-EFXRF-3/16 ■ DNI8:2738300 ■ C8ID:(661) 460-1986 • DURATION (mm-ss):60-52 



5/24/2007 3:27 AM FROM: (661) 460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 096 OF 101 



US 6,983,374 B2 
25 26 

context informa lion an<1 the non-encrypted context inlbrma- an exception occurrence address indicates an address a I 

tion can coexist according to the need. Ihe ISS size and the which the jump or call instruction is issued. Also, a value 

Hag indicating the presence/absence of the encryption are indicating illegality of the 'ISS is stored into an interruption 

stored in a plaintext form so thai il is easy lo maintain the cause field in the IDT table, and an address of a jump target 

compatibility with respect to the past programs. 5 TSS k stored into a register that stores an address that is the 

Processing for Restarting the Interrupted Program> causc of tbc interruption. In this way, the OS can learn the 

At a time of restarting the process bv recovering the cause of the context switching failure, 

context, the OS issues a Jump or call instruction with respect . . No * e that ' nrder to rcalii * the faster rcstart P mcessIn B. 

to a INS descriptor indicating the saved INS 11 B ako P°™M* to use a configuration in which the supply 

Returning now to M<J. 4, the execution code encryption id of ,hc «ccution state encrypted by the context information 

key and signature verification unit 257 if the exception enc^tio.v decrypt, o,, unit 254 to the register file 253 and 

processing unit 131 verifies the signature Sj; message] 834 ! he Passing by the execution code encryption 

* f, Al „ - .« * j J , key and signature verification unit 257 arc earned out m 

by using the secret key Ks of the processor first, and sends m ^ thc subsequent processing is stopped when the 

the verification result to the exception processing unit 255. verification tails. 

In the case where the verification result is failure, the IS ^My of this encryption scheme using a random 

exception processing unit 255 stops thc restart of the execu- number depends on thc impossibility to predict a random 

tion of the program, and causes the exception. Hy this number sequence used, and a method for generating by 

verification, it is possible to confirm that the context infor- hardware a random number thai is very hard lo predict is 

mation is surely generated by thc proper microprocessor 101 disclosed in Onodera, el al., Japanese Patent No. 2980576. 
that has the secret key and not altered. 20 The analysis of the context information by the program 

When the verification of thc signature succeeds, thc vendor is important in improving thc quality of the program 

context information encryption/decryption unit 254 obtains by analyzing thc causes of any trouble in thc program that 

thc random number Kr by decrypting the context encryption occurred according to a condition by wbich thc program is 

kcv EjJiKr] 833 by using the secret key Ks. On thc other used by thc user. In this embodiment, in view of this fact, tbc 

hand, thc execution code encryption key Kcode correspond- 25 above described scheme for realizing both the safety of the 

ing to thc program counter (EIP) 809 is taken out from thc context and the capability of thc context intbrmation analy- 

pagc table buffer 230, and sent to thc current code encryp- sis by tbc program vendor is employed, but it is also true that 

tion key memory unit 251. The context information the use of this scheme increases the overhead of the context 

encryption/decryption unit 254 decrypts E^^^fKr] by using saving. 

the execution code decryption key Kcode, and sends the 30 Moreover, the verification of the context information by 

result to the execution code encryption key and signature using the signature ma lie by the microprocessor prevents the 

verification unit 257. Thc execution code encryption key and execution of thc protected codes in thc illegal context 

signature verification unit 257 verifies whether the decryp- information by using a combination of arbitrarily selected 

lion result of E KmM J[Kx] 832 coincides with the decryption value and encryption key, but this additional protection also 

result of the microprocessor using the secret key Ks or not. 35 increases the overhead. 

By this verification, it is possible lo confirm thai this context Consequently, in the case where there is no need for the 
information is generated by the execution of the execution capability of the context information analysis by the pro- 
codes encrypted by using the secret key Kcode. gram vendor or a mechanism for eliminating the program 
U Ibis verification of the execution code encryption key restart using the Illegal conlexl information, the context 
with respect to the context information is not carried out, it 4i> information containing information for identifying the 
woukl become possible for the user 10 make an attack by execution code encryption key may be directly encrypted by 
producing codes encrypted by using any suitable secret key using the secret key of die processor, liven in such a case, it 
Ka and applies the context information obtained by execut- is still possible to make the intentional alteration of the 
ing these codes to the codes encrypted by the other secret conlexl crypt ogra phi cally impossible, and prevent the con- 
key Kb. The above verification eliminates a possibility of 45 text information from being applied to a program encrypted 
this attack and guarantees tlie safety of the context infor- by using a different encryption key. 

mation for the protected codes. I lere, the context saving format will tie described furtlier. 

'this object can also be achieved by adding a secret Its relationship with the operation will 1* described later, 
execution code encryption key Kcode to thc context In FIG. 10, an "R" bit 825-1 is a bit indicating whether thc 

information, but in this embodiment, by the use of the value 5n context is restartable or not. When this bit is set to "1", the 

^xcwic[K r ] which a secret random number Kr used in execution can be restarted by recovering the state saved in 

encrypting thc context information is encrypted by using the the context by thc above described recovery procedure, 

execution code encryption key Kcode selected by the pro- whereas when this bit is set to t4 0", the restart cannot be 

gram vendor, it is possible to reduce thc amount of memory made. This has an effect of preventing thc restart of thc 

required for saving the context information so as to achieve 55 context in which thc illegality is detected during thc execu- 

thc effects of thc fast context switching and tbc memory tion of thc encrypted program so as to limit the restartable 

saving. This also enables the feedback of thc context infor- contexts to only those in thc proper states, 
mation to thc program creator. A "IT bit 825-2 is a flag indicating whether thc TSS is a 

Now, when the verification of the execution code encryp- user TSS or a system TSS. When this bit is set to "Cr", thc 

tion key and thc verification of thc signature by thc execu- 60 saved TSS is thc system TSS, and when this bit is set to 

lion code encryption key and signature verification unit 257 the saved TSS is the user TSS. The TSS that will be saved 

both succeed, thc context is recovered to thc register file 253, and recovered through thc task switching accompanied by 

and the program counter value is also recovered so thai Ihe the change of the privilege from the exception entry as 

control is returned lo an address at a lime of the execution described above or through a task gale call up is the system 

interruption that caused to generate this context. 65 TSS. 

When either one of ihese verifications fails so that the The difference between the system TSS and the user TSS 

exception processing unit 255 causes ihe exception to occur, lies in whether a task register indicating a TSS saving 
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location of the currently executed program is to be updated 
or not at a lime of the recovery of the TSS. In the recovery 
of the syslem ISS, the task register of the currently executed 
program will he saved in the link to the previous task region 
801 of the TSS to be newly recovered, and the segment 
selector of the new TSS will be read into the task register. On 
the other hand, in the recovery of the user 'INS, the update 
of the task register value will not he carried out. 'Ilie user 
TSS is aimed only at the saving and the recovery of the 
register state of the program so that it is not accompanied by 
the change of the privileged mode. 

The exception includes a software interrupt used for the 
system call up from the application program. In the case of 
the software interrupt for the purpose of the system call up, 
the general purpose register is oflen used for the parameter 
exchange, and there can be cases where the context infor- 
mation encryption can obstruct the parameter exchange. 

The software interrupt is generated by the application 
itself, so thai it is possible for the application to destroy 
information of the registers thai have secrets, prior to I he 
generation of the software interrupt. Under the presumption 
of such conditions, it is possible to use a scheme in which 
the encryption of the registers is not carried out only in the 
case of the software interrupt. Of course, in such a case, the 
application program creator should take this fact into con- 
sideration and design the program such that the secrets of the 
program can be protected. 

Next, the suppression of the plaintext program debugging 
function will be described. 

The processor has a step execution function which causes 
the interruption whenever one instruction is executed, and a 
debugging function which causes the exception whenever a 
memory access with respect to a specific address is made. 
These functions may be useful for the development of 
programs but Ihey can impair the safely of programs that are 
encrypted for the purpose of the secret protection. 
Consequently, in the microprocessor of this embodiment, 
such debugging functions are suppressed during the execu- 
tion of the encrypted program. 

The instruction TLB 121 can Judge whether the currently 
executed code is protected or not (encrypted or not). During 
the execution of the protected code, two debugging func- 
tions including a debug register function and a step execu- 
tion function are prohibited in order to prevent an intrusion 
of I be encrypted program analysis from a debug Hag or a 
debug register. 

'Ilie debug register function is a function in which a 
memory access range and an access type such as reading/ 
writing as tlic execution code or data are set in advance into 
a debug register provided in the processor such that the 
interruption is caused whenever a corresponding memory 
access occurs. In this embodiment, during the execution of 
the protected code, the contents set in the debug register will 
be ignored so that the interruption for the purpose of the 
debugging will not occur. Note however that the case where 
a debug bit is set in the page table is excluded from this rule. 
The debug bit in the page table will be described later. 

During the execution of a non-protected (plaintext) code, 
the interruption will be caused whenever one instruction is 
executed if a step execution bit in an EFLAGS register of the 
processor is set, but during the execution of the protected 
code, this bit will also be ignored so that the interruption will 
not occur. 

In this embodiment, in addition to the encryption of Ihe 
execution codes lor the purpose of preventing the analysis, 
these functions make the analysis of the program by the user 
difficult by preventing the dynamic analysis of the program 
using the debug register or the debug Hag. 
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<Dala Prolection> 

Next, the protection of the processing target data of the 
execution codes will be described. 

In this embodiment, the encryption attributes Cur protect- 
ing data are defined in four registers CY0 to CY3 that are 
provided inside the microprocessor 101. They correspond to 
regions 717 to 720 shown in HO. 9. In M<i. 9. details of the 
registers CY0 to CY2 are omitted, and only details of the 
register C.Y3 are shown. 

Elements of the encryption attribute will now be 
described by taking the CY3 register 717 as an example. 
Upper bits of the logical address indicating a top of the 
region to 1*; encrypted are specified in a base address 717-1. 
The size of the region is specified in a size region 7174. A 
size is specified in units of the cache line so that there is an 
invalid portion at the lower bits. A data encryption key is 
specified in a region 717-5. Here the secret key algorithm is 
used so that the region 717-5 is also used for the decryption 
key, When a value of the encryption key is specified as "0", 
it implies that the region indicated by that register is not 
encrypted. 

Among the specifications of the regions, CY0 is given the 
highest priority, and CY1 to CY3 arc given sequentially 
lower priorities in this order. For example, When the regions 
specified by CY0 and CY1 overlap, the attributes of CY0 arc 
given the priority over those of CY1 in that region. Also, the 
definition of the page table is given the highest priority in the 
case of a memory access as the execution code ralher than 
as the processing target data. 

A debug bit 717-4 is used in selecting whether the data 
operation in the debugging stale is to be carried out in an 
encrypted state or in a plaintext state. Details of the debug 
bit will be described later. 

FIG. 12 shows the information (low in the encryption/ 
decryption of the processing target data of the execution 
codes. Here, the data protection is made only in the stale 
where Ihe code is protected, lhal is the code is executed in 
an encrypted slate. Note however lhal the case where the 
code is execuied in the debugging stale lo be described 
below will be excluded from this rule. When the code is 
protected, the contents of the data encryption control regis- 
ters (wh ich will be also referred to as the encryption attribute 
registers or the data protection attribute registers) CY0 to 
CY3 are read from the register lile 253 shown in FIG. 4 lo 
a data encryption key table 236 provided inside the data Tl ,11 
141. 

When some instruction writes data into a logical address 
"Addr", the data '11 Jl 141 Judges whether the logical 
address "Addr" is contained in ranges of CY0 to CY3 or not 
by checking the data encryption key table 236 (see I' ICS. 4). 
As a result of the Judgement, if the encryption attribute is 
specified, the data TLB 141 commands the code encryption 
function 212 to encrypt the memory content by the specified 
encryption key at a time of the memory writing of a 
corresponding cache line from the LI data cache 218 to the 
memory. 

Similarly, in the case of reading, if the target address has 
the encryption attribute, the data TT/B 141 commands the 
data decryption function 219 to decrypt the data by the 
specified encryption key at a time of the reading of a cache 
line out lo the corresponding LI dala cache 218. 

In this embodiment, the data encryption attributes are 
protected from the illegal rewriting including the privilege 
of ihe OS by placing all the data encryption attributes lor the 
data encryption in the registers inside the microprocessor 
101 and saving Ihe contents of the registers at a time of the 
execution interruption as ihe context information in a safe 
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i'orm into a memory (lie main memory 281 of FIG. 4, Tor also possible to discard Ihe content of this da La cache and 

example) external ol" Ihe microprocessor 101. re-read the data from die memory oqcc again. 

'Hie data encryption/decryption is carried out in units of For example, consider program-1 and program-2 Tor 

the cache line that is interleaved as described above in wn k;b the execution code encryption key as well as Ihe data 

relation Lo the context encryption. For this reason, even 5 protection attribute registers CY0 to CY3 are different. If the 

when one bit of the data on the LI cache 114 is rewritten, the enciypU .d data referred and written into the cache by the 

other bits in the cache line will be rewritten on the memory. program .i is lo be referred bv the program-2, the program-2 

liie execution of the data reading/writing is carried out * :1 r«*„ a ~ a-w W * • • ~\ 

collectively in units of the cache line, so that the increase of ^^^l 6 ^^^^^^ " " aCCOld 

the overhead is not so large, but it should be noted that the 1(1 th < ° f Piling secrets. 

reading,.writing with respect to tlie encrypted memory 111 A f l ™ 'P*V*«* Jhvb the same dato encryption key and 

regions cannot be carried out in units less lhao or equal lo Ihe da ? ? l lbe * ame * c1dress a 5 6 refcrrc<1 b * luem > ,he ™ m * data 

cache line size. W1 " ^ so tnat tnis ^ ata can 1>c snared between them. 

in the above, the method for protecting the data by In this way, in this emlwdiment, data generated by some 

encryption in this embodiment has been described. By this program-1 can be protected from being referred by another 

method, on the main memory, it is possible to process Ihe 15 program-2 by providing a function for maintaining attributes 

encrypted data by encrypting them inside the processor by °f l QC instruction to be executed and the data indicating 

using the encryption key and the memory range specified by programs to which they originally belong, and comparing 

the application program, and read/write Ihem as plaintext the attributes to see if they coincide or not at a time of the 

data from a viewpoint of Ihe application. data referring due to the instruction execution. 

Next, two mechanisms for preventing reading of the data 20 <Entry Gate> 

stored in a plaintext form in the cache memory inside the In this embodiment, the cases where the control can be 

processor by a program other than the encrypted programs shifted from the non-protected code to the protected code arc 

that has read these data (which will be referred to as the other limited only to the following two cases: 

program) will be described. (1) the case where the context encrypted by using the 

First, the program is identified by its encryption key. This 25 execution code encryption key (that is, the context having a 

identification is made by using a key object identifier used random number) that coincides with a restart address is to be 

at a time of decrypting the currently executed instruction restarted; and 

inside Ihe processor. Here, a value of ihe key itself may be (2) the case where the control is shifted from a non- 
used for this identification, but a value of the execution code protected code to an entry gate instruction ("cgatc" 
decryption key has a rather large size of 1024 bits belbre the 30 instruction) of (he protected code, by the execution of the 
decryption or of 128 bits after the decryption which would consecutive codes or by a Jump or call instruction, 
require an increase of the hardware size, so that the key This limitation is placed in order to prevent an attacker 
object identifier which has a total length of only 10 bits is from obuining information on code fragments by executing 
used. the code from arbitrary position. The procedure for the 

The LI instruction cache 213 in which the decrypted 35 above (1) has already been described in relation lo the 

execution codes are to be stored has an attribute memories context recovery. Namely, the control is shifted lo the 

in correspondences to the cache lines. When the decrypted execution of the protected code only when it is verified thai 

execution codes are stored into Ihe LI instruction cache 213 the context information matching with the execution code 

by the code decryption function 212, the key object identifier encryption key of Ihe code lhal was executed immediately 

is written into the attribute memory. w before the interruption is contained, and that the proper 

Also, in the case of reading Ihe encrypted data from the signature given by the microprocessor 101 is attached, 

memory and decrypting it, the contents of the data protection The above (2) is a processing for prohibiting a transition 

attribute registers C.YO to OY3 are read out from the register to the execution of the protected code unless a special 

file 253 to a protection table management function 233 of Ihe instruction called entry gate ("egale") instruction is executed 

data Tl.H 141. At this point, the key object identifier 45 at the beginning of the control in the case of shifting the 

corresponding to the currently executed instruction is also control from the non-protected code to the protected code, 

read from the current code encryption key memory unit 251 FIG. II shows a procedure for switching a protection 

at tlie same time and maintained in the protection table domain based on the entry gate instruction. 'ITie micropro- 

management function 233. ccssor 101 is maintaining the encryption key of the currently 

Similarly as in the case of the instruction cache, the data 50 executed code in the current aide encryption key memory 

cache 218 has attribute memories in correspondence to the unit 251 (see IKS. 4) of the exception processing unit 131. 

cache lines. When the data read out from the memory is First, whether the value of this key is changed in conjunction 

decrypted by the data decryption function 219 and stored with the execution of the instruction or not is judged (step 

into the Li data cache 218, the key object identifier is written 601), When the change of the key value is detected (step 601 

into the attribute memory from the protection table man- 55 NO), whether the instruction executed in conjunction with 

agement function 233. the change is an entry gate ("cgatc") instruction or not is 

When some instruction is executed and the data referring checked next (step S602). If it is the entry gate instruction, 

is carried out, the key object identifier written in the attribute it implies that it is a proper instruction so that the control can 

of the data cache and the key object of that instruction in the be shifted to the changed code. Consequently, when it is 

instruction cache arc compared by the secret protection 00 Judged as an entry gate instruction (step 602 YES), this 

violation detection unit 256. If they do not coincide, (he instruction is executed. 

exception of the secret protection violation occurs and the On the other hand, when it is Judged as not an entry gate 

data relerring falls. In Ihe case where Ihe attribute of Ihe data instruction (step 602 NO), il implies Lhal Ihe interrupted 

cache indicates a plaintext, the data referring always sue- instruction is an improper instruction. In this case, whether 

eccds. as the instruction that was executed immediately previously is 

Note that, when the attributes of Ihe instruction and the an encrypted (protected) inslruction or not is judged (step 

data do not coincide, instead of causing the exception, il is 603). If it is a non-prolecled instruction, the exception 
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processing can lake place directly, but it il is a protected protection attribute registers, at the entry gate in the case of 

instruction, there is a need to carry out the exception attaching more importance to the safety, even though this 

processing while protecting that instruction. provision makes the programming more restricted and the 

Consequently, when it is judged as a non-prolecied efficiency poorer. Even in this case, the parameters such as 

instruction (step 603 NO), the exception processing is car- 5 stacks can be exchanged through a memory region specified 

ried out directly, whereas when it is Judged as a protected by a relative address or an absolute address of the program 

instruction (step 6003 YLS), the non-restartahle exception counter. Note however that, similarly as in tlie case of the 

processing is carried out while maintaining the protected context saving, Ike system registers including a part of the 

state. flag registers and the task register are excluded from a target 

Hy this limitation of the control shifting, the direct shift- 10 of the encryption or the initialization of the registers for the 

ing of the control from a plaintext code to a code at a sake of continuation of the OS operation, 

location other than that of the entry gate instruction is In this way, in the microprocessor 101 of this 

prohibited. Ilie context recovery implies the recovery of the embodiment, the fragmental execution of the protected code, 

state that was already executed once by that program especially the illegal setting of the data protection state, is 

through the entry gate. Consequently, the execution of the iff prevented, as the first instruction to l?e executed at a time of 

protected program must pass through the entry gate. By shifting the control from the program in the plaintext state to 

suppressing locations for placing the entry gate to the the protected program is limited to the entry gate instruction 

minimum necessary number in the program, there is an and the registers including the data protection attribute 

effect of preventing an attack for guessing a program struc- registers arc initialized by the execution of the entry gate 

ture by executing the program from various addresses. 20 instruction. 

Also, at this entry gate, the initiahzation of the data Next, the execution control of the protected program will 

protection attribute registers is carried out. When the entry be described. First, the call up and the branching that arc 

gate is executed, a random number Kr is loaded into a key closed within the protection domain will be described, The 

region (a region 717-5 in CY3) of the data protection call up within the protection domain is exactly the same as 

attribute registers CY0 to CY3 717 to 720 shown in FIG. 9 25 that for the usual programs. FIG. 13 shows the call up and 

The encryption target top address is set to "0", the size is set the branching within the protection domain conceptually, 

to an upper limit of the memory, and the entire logical The execution of the code 1101 in the protection domain 

address space is set as the encryption target. If Ihe debug is started as a thread 1121 outside the pro lection domain is 

attribute is not set in the execution code, the debug bit (717-3 branched into an "cgatc" (entry gate) instruction of the 

in CY3) is set as non-debugging. 30 protection domain. By the execution of the "egale" 

In other words, at a liming of the encryption code execu- instruction, all Ihe registers are initialized, and then Ihe data 

tion start, all the memory accesses arc encrypted by using protection attributes arc set up sequentially by the execution 

theranckimnumberKrdeutrminedaLalimeof the entry gale of the program. The control is shilled to a branch target 

execution. Also, in Ibe execution code encryption control, "xxx" 1U1 in Ihe protection domain by a "jmp xxx" 

the definition in Ihe page table is given a higher priority as 35 instruction (processing 1122), and a "call yyy" instruction 

already mentioned above. This random number Kr is gen- located at an address "ppp" 1112 is executed (processing 

erated independently Ixom the random number used in the 1123). The calling source address "ppp" 1112 is pushed into 

context encryption. a slack memory 1102, and the control is shifted to a call 

By this mechanism, a protected program to be newly target "yyy M 1113. When the processing al Ihe call target is 

executed is set to he always encrypted by using a key 4i> completed and a "ret" instruction is executed, the control is 

determined randomly al a time of the start of all the memory shifted to a relurn address u ppp" 1112 in the slack. There is 

accesses. no limitation on the execution control while the execution 

Of course, in this state the entire memory region is code encryption key remains the same, 

encrypted so thai il is impossible to give parameters of Ihe Next, Ihe call up and Ibe branching from a protection 

system call through the memory or exchange data with the 45 domain to a non-protection domain will 1* described, l or 

other programs. I'or this reason, the program carries out the this control shifting, the execution of a special instruction 

processing by sequentially adjusting its own processing and the operation of the user" I'SS to be described below will 

environment by setting the data protection attribute registers be carried out in order to avoid a shifting from a protection 

such that the necessary memory region can be converted into domain to a non-protection domain that is not intended by 

plaintext so that it becomes accessible. Hy leaving the 50 the program creator and to protect the data protection state, 

register CY3 with a lowest priority in the initial setting of PKi. 14 shows the call up and the branching from a 

being encrypted by using the random number, while setting protection domain to a non-protected domain conceptually, 

the encryption key u 0" as the plaintext access setting for the where an execution code 1201 of the protection domain and 

other registers, it is possible to reduce a risk of accessing an an execution code 1202 of the non-protection domain arc 

unnecessary region as a plaintext and writing data to be kept 55 placed in respective domains. Also, a user TSS region 1203 

in secret by encryption out to a plaintext region by error. and a region 1204 for exchanging parameters with the 

The contents of the registers other than the data protection non-protection domain arc provided, 

attribute registers arc not encrypted even in the initialization The execution begins when a thread 1221 executes the 

at the entry gate, and pointers for specifying locations of cgatc" instruction. The program of the protection domain 

stacks or parameters can be stored therein. However, cares 00 saves the address of the user TSS region 1203 in a prescribed 

should be taken in the processing of the program to be parameter region 1204 before calling up the code of Ibe 

executed through the entry gate so that secrets of the non-protection domain. Then, the code of the non-protection 

program will not be stolen by calling up the entry gate by domain is called up by executing the "ecalT instruction. The 

selling illegal values into ibe registers. "ecall" instruction lakes two operands. One is a call large I 

It is also possible to use a configuration for initializing all 65 address, and the other is a saving target of the execution 

the registers other than Ihe ilags and Ihe program counter, stale. The "ecalT instruction saves the register slate at a lime 

including the general purpose registers other lhan the data of the call up (or more accurately the register stale when Ihe 
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program counter is in a stale after the "ecall" instruction is At a lime of the recovery of the user TSS by the 

issued) into a region specified by the operand "uTSS", in a application, an attack for substituting the user TSS by the CXS 

format similar to that in the case of the encrypted 'J'SS wh ich has privileges is noL entirely impossible. However, the 

described alxwe. In tlie following, this region will be interchangeable TSS information in such a case is only the 

referred to as a user TSS. 5 context information whose execution is always started 

The difference between the user TSS and the system TSS through the "egate" and which is saved by the saving of the 

lies in that, in the user register shown in FIG. 10, a U llag execution slate caused by the interruption or by the user 

is set in a region 825-2 on the TSS. The difference in the explicitly, as long as the execution code encryption key uf 

operation will be described later. In the saving of the user the protection domain is man aged correctly. Apossibility for 

TSS into the memory, the data protection attributes defined the leakage of the secrets of the application due to the 

in the data protection attribute registers CY0 to CY3 by the ■» interchange of this context, information is quite small, and it 

user are not allied, similarly as in the case of the saving of & quite difficult for an attacker to guess what kind of the 

the context information into the system TSS contexl jnformalion inlerchange is necessary in acquiring 

The call target code of the non-protection domam cannot. ^ sccrcts of thc ai>1)lication . 6 

2S3E^ 15 « The procure foVcall up from the protection domain to 

1204. and the necessary processing ,s earned out. There is prolettion ^ omains , a lhe instruction to be executed fiisi at 

no hmilauon on lhe programming in he non-proteclioo Z ,,\ . TVo- . T !_TLi T l „r™" 

domain. In lhe example of FIO. 14, a sub-rouline "qqq" *» Cal1 ,ar « Ct 13 thc C 8 atC mS,rUCU0 ° of ,tc caiba & 

1213 is called up (processing 1225). Thc call up from thc S1 . c " ... „ , _ .. . 

protection domain can be adapted to the call upsemantics of 20 ,n . tlus e, "V» <*" "P b f tW6en tbe protection domains 

lhe sub-rouline "qqq" by placing an adaplor ixle lor copy- CaD , b " . c " nwd ou ' b >' ""-Wing "Bioo lor 

ing slack pointing Vl the parameters to lhe slack, cxdungmg parameters bemea these protection domains, 

between «exx" and tbe tall up of "qqq". for example. IV hy ™ * "^P"™ key that is shared by carrying ou the 

processing result is sent to the calling source through the tarn key exchange between Ihese protection 

parameter region 1204 on lhe memory (processing 1226). 25 wa ^* va ^ m . a " vance ' ... 

When thc processing of thc sub-routine is completed, a ^ nh ^> ^rdmg to the microprocessor of the 

W instruction is itsued in order to return the Control to l ,re f nt "^"S",^^ l ° *Z W 

the calling source protection domain (processing 1227). aDaly " s b * * e OS ,°^ a Unnl P." ^ b * P^^S .hoik the 

The "sret" instruction takes one operand for specifying •« cu ™"«>** «?<< Processing UigeUlau oflhe execu- 

ikc user TSS, unlike thc "ret" instruction that has no 30 uO0 . codes b V «"* lhe encryption, under the multi-task 

operand. Here, the user TSS 1203 is specified indirectly as environment. 

the recovery information through a Jointer stored in the 11 beco , mes f re . wn,1 " g 

parameter region -param" 1204 The recovery of thc user of ,hc , c »«yptx>n atinbntes in thc case of saving the 

TSS by the "sret" instruction largely differs from the rccov- encrypted aaia. 

ery of like system TSS in that the task register is not affected „ J" 1 ™.] 11 lt ^"T f° ^ *!■ tnc ^ da ' a 

at all even when the user TSS is recovered. The task link 5 ^ US, ° 8 a * ltrary ^dom number Kr 

field of lhe user TSS will be ignored. The recovery will fall atbc < *» a , kcy as ,bc key for the 

when thc svstcm TSS with thc U flag 825-2 set to "0" is processing larger naia. 

specified in the operand of the "srel" instruction. „ ^ ? l b< *°f tS ^ b1 "' 10 ° Ul lbe ^"j*"* m 

At a lime o£ the execulion of the recovery, the decryption £ C P lai0tCXt S ' a,c ' "W** " t0tS UC ^i, 4 fc< ? back 0n 

of thc execution state and thc verification of the execution 4 » ^e errors can be provided to the program vendor who knows 

code encryption kev and the signature already described "»> «"ecu Uon code encryption key. 

above are carried out, and when lhe violation is delected, the ^ ll ^fT*? P M "* to 10 P r * VeW aD "™\° l , be 

exception ol lbe secret protection violation will occur. When memories «> ^ microprocessor and suppress the cost of he 

the verification succeeds, the execution is restarted from an """ropiocessor by saving information that required the 

instruction next to the calling source "ecall" instruction. I His « seBtel ■»«* as ^ encrypuon allnbute mlormaUon 

address is encrypted and signed in the user TSS, so that it is °" an 6xterail1 b " ^tadmiB a signature oi he 

cryptograpbically impossible to forge Ibis address. All thc ""'creprocessor, reading only the necessary portion into he 

registe^ except for the program counter will be set back to M ** M ". """^ » he .""CMpKHwaor, and carrying out the 

the stale before the call up, so that the code of the protection vacation or the signature at a lime ol reading. In this 

domain acquires thc execution result of thc sub-routine s.» ^ ^7 'he substitution at a time or the 

"exx" from the parameter region 1204. ie*d«n» cm alao be nianmeed. 

At a time of shifting the^ontrol to the non-protection Jt ,s also to l« noted that, bes.de.Mh^ already n^nboned 

domain after lhe proving ol the proteclion domain is dba ™' . man >' ™"«^»^ and vanations ol the above 

completed, an "cjmp" insmiction is used. Thc "cimp" embodiments may be made without departing from the 

instruction docs not c«ry out thc saving of the stale, unlike « 'l ovel and 1 adva 1 n 1 ta *"! us h *?™? f ,he Vf*. '" vent10 "- 

lhe "ecaU" instruction. II the control Ls shifled torn lhe 55 ^ff^i ^ ™ d variations are 

protection domain to tbe non-prohxlion domain by .he ^ ndcd to 60 ,nctudcd Wlthln ,hc W of a PP cndcd 

instruction other than "ccaJl" and "cjmp", such as "Jmp" or w!f,' t ic a • 

"call", the exception of the secret protection violation occurs wnat k ciaimca is. 

and lhe encrypted context inTormalion is saved in the TSS ? A ,n != 1 r .°P 1 roccssor hav,n S » u, "t ue fe ? rei ^ and a 

region (a region indicated by the task register) ol the syslem. «° " m 'l UB P" bb ^ key corresponding to the unique secret key 

Note that the context information will be marked as non- can "? 1 rea " oul to ex,erna1 ' com P nsm B : 

resurtable at this point. Note also that specifying an address a reading uml configured lo read out a plurality of 

in lhe proteclion domain as a jumping largel or lhe "ejmp" programs encrypted hy using different execution code 

instruction does not cause the violation. encryption keys from an external memory; 

'I his completes the description of a procedure for call up 65 a decryption unit configured to decrypt thc plurality of 

from the protection domain to the non-protection domain programs read oul by (he reading unit by using respec- 

and newly added instructions used in that procedure. live decryption keys; 
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an execution unil configured lo execute the plurality or 
programs decrypted by the decryption unit; 

a context information saving unit configured to save a 
context information for one program whose execution 
is to be interrupted, into the external memory or a * 
context information memory provided inside the 
microprocessor, the context information containing 
information indicating an execution state of the one 
program and the execution code encryption key of the 
one program; and 10 

a restart unit configured to restart an execution of the one 
program by reading out the context information from 
the external memory or the context information 
memory, and recovering the execution state of the one 
program from ihe coniexi information; 1 5 

wherein the context infomiation saving unit is configured 
lo generate a random number as a temporary key, to 
encrypt the context informal ion, and lo save an 
encrypted context information into the external 
memory, the encrypted context information containing 
a first value obtained by encrypting information indi- 
cating the execution state of the one program by using 
the temporary key and a second value obtained by 
encrypting the temporary key by using the public key; 2$ 

the restart unit is configured to restart the execution of the 
one program by reading out toe encrypted context 



information from the external memory decrypting the 
temporary key from the second value contained in the 
encrypted context information by using the secret key, 
decrypting the information indicating the execution 
state from the first value contained in the encrypted 
context information by using a decrypted temporary 
key, and recovering the execution slate of Lhe one 
program from a decrypted context information; and 
the context information saving unit saves the encrypted 
context information that also contains a third value 
obtained by encrypting tlie temporary key by using the 
execution code encryption key of the one program. 
2. 'Hie microprocessor of claim 1, wherein the restart unit 
decrypts a lirst temporary key from the second value con- 
tained in the encrypted context information by using the 
secret key and decrypts the information indicating the 
execution state from the first value contained in the 
encrypted context information by using tlie first decrypted 
temporary key, while decrypting a second temporary key 
from the third value contained in the encrypted context 
information by using the execution code encryption key of 
the one program, and restarts the execution of the one 
program only when the first decrypted temporary key coin- 
cides with the second decrypted temporary key. 
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